Professional Documents
Culture Documents
www.sybex.com
CCDP: Cisco
Internetwork Design
Study Guide
Robert Padjen
with Todd Lammle
www.sybex.com
www.sybex.com
Warranty
SYBEX warrants the enclosed media to be free of physical
defects for a period of ninety (90) days after purchase. The
Software is not available from SYBEX in any other form or
media than that enclosed herein or posted to www.sybex.com.
If you discover a defect in the media during this warranty
period, you may obtain a replacement of identical format at
Copy Protection
The Software in whole or in part may or may not be copyprotected or encrypted. However, in all cases, reselling or
redistributing these files without authorization is expressly
forbidden except as specifically provided for by the Owner(s)
therein.
www.sybex.com
www.sybex.com
Acknowledgments
Bob Collins
While there are times where I dont know if I should thank him or kick
him, I need to acknowledge Todd for making my life even more of a hectic
event.
Thanks to all of the copy editors and technical editorsthere were a lot.
A special note of thanks to Dave, who kept me on my toes and challenged me
to the point of irritation, and Emily, who may have persuaded me to never
go down to Australia. Its a better book because of all of the editors, and I am
grateful for their insight and diligence. I also want to thank Julie, Linda R.,
Lance S., Dann, Neil, and Linda L. for their assistance.
Then, of course, there is the whole Production crewShannon M., Nila N.,
Tony J., Keith M., Kara S., Patrick P., Dave N., Alison M., and Laurie O.
Without them, this book would be nothing but a bunch of files.
www.sybex.com
Introduction
This book is intended to help you continue on your exciting new path
toward obtaining your CCDP and CCIE certification. Before reading this
book, it is important to have at least studied the Sybex CCNA Study Guide.
You can take the tests in any order, but the CCNA exam should probably be
your first test. It would also be beneficial to have read the Sybex ACRC
Study Guide. Many questions in the CID exam build upon the CCNA and
ACRC material. Weve done everything possible to make sure that you can
pass the CID exam by reading this book and practicing with Cisco routers
and switches. Note that compared to most other Cisco certifications, the
CID exam is more theoretical. Practical experience will help you, especially
in regard to Chapters 3, 4, 5, 6, 7, and 10. Youll benefit from hands-on
experience in the other chapters, but to a lesser degree.
www.sybex.com
xx
Introduction
systems. Todays GSR product can forward millions more packets than the
7000, for example. Cisco Systems has since become an unrivaled worldwide
leader in networking for the Internet. Its networking solutions can easily
connect users who work from diverse devices on disparate networks. Cisco
products make it simple for people to access and transfer information without regard to differences in time, place, or platform.
Cisco Systems big picture is that it provides end-to-end networking solutions that customers can use to build an efficient, unified information infrastructure of their own or to connect to someone elses. This is an important
piece in the Internet/networking-industry puzzle because a common architecture that delivers consistent network services to all users is now a functional imperative. Because Cisco Systems offers such a broad range of
networking and Internet services and capabilities, users needing regular
access to their local network or the Internet can do so unhindered, making
Ciscos wares indispensable. The company has also challenged the industry
by acquiring and integrating other technologies into its own.
Cisco answers users need for access with a wide range of hardware products that are used to form information networks using the Cisco Internet
Operating System (IOS) software. This software provides network services,
paving the way for networked technical support and professional services to
maintain and optimize all network operations.
Along with the Cisco IOS, one of the services Cisco created to help support the vast amount of hardware it has engineered is the Cisco Certified
Internetworking Expert (CCIE) program, which was designed specifically to
equip people to manage effectively the vast quantity of installed Cisco networks. The business plan is simple: If you want to sell more Cisco equipment
and have more Cisco networks installed, you must ensure that the networks
you installed run properly.
However, having a fabulous product line isnt all it takes to guarantee the
huge success that Cisco enjoyslots of companies with great products are
now defunct. If you have complicated products designed to solve complicated problems, you need knowledgeable people who are fully capable of
installing, managing, and troubleshooting them. That part isnt easy, so
Cisco began the CCIE program to equip people to support these complicated
networks. This program, known colloquially as the Doctorate of Networking, has also been very successful, primarily due to its stringent standards.
Cisco continuously monitors the program, changing it as it sees fit, to make
sure that it remains pertinent and accurately reflects the demands of todays
internetworking business environments.
www.sybex.com
Introduction
xxi
Building upon the highly successful CCIE program, Cisco Career Certifications permit you to become certified at various levels of technical proficiency, spanning the disciplines of network design and support. So, whether
youre beginning a career, changing careers, securing your present position,
or seeking to refine and promote your position, this is the book for you!
www.sybex.com
xxii
Introduction
Optimize WAN through Internet-access solutions that reduce bandwidth and WAN costs, using features such as filtering with access lists,
bandwidth on demand (BOD), and dial-on-demand routing (DDR).
Provide remote access by integrating dial-up connectivity with traditional remote LAN-to-LAN access, as well as supporting the higher
levels of performance required for new applications such as Internet
commerce, multimedia, etc.
www.sybex.com
Introduction
xxiii
Cisco router courses over the Internet using the Sybex Cisco Certification
series books. Go to www.cyberstateu.com for more information. In addition, Keystone Learning Systems (www.klscorp.com) offers the popular
Cisco video certification series, featuring Todd Lammle.
For online access to Cisco equipment, readers should take a look at
www.virtualrack.com.
It can also be helpful to take an Introduction to Cisco Router Configuration (ICRC) course at an authorized Cisco Education Center, but you should
understand that this class doesnt meet all of the test objectives. If you decide
to take the course, reading the Sybex CCNA Study Guide, in conjunction
with the hands-on course, will give you the knowledge that you need for
certification.
A Cisco router simulator that allows you to practice your routing skills
for preparation of your Cisco exams is available at www.routersim.com.
For additional practice exams for all Cisco certification courses, please
visit www.boson.com.
www.sybex.com
xxiv
Introduction
www.sybex.com
Introduction
xxv
If you hate tests, you can take fewer of them by signing up for the CCNA exam
and the Support exam, and then taking just one more long exam called the
Foundation R/S exam (640-509). Doing this also gives you your CCNPbut
beware, its a really long test that fuses all the material listed previously into
one exam. Good luck! However, by taking this exam, you get three tests for
the price of two, which saves you $100 (if you pass). Some people think its
easier to take the Foundation R/S exam because you can leverage the areas in
which you score higher against the areas in which you score lower.
Remember that test objectives and tests can change at any time without
notice. Always check the Cisco Web site for the most up-to-date information
(www.cisco.com).
www.sybex.com
xxvi
Introduction
which many people fail two or more times. (Some never make it
through!) Also, because you can take the exam only in San Jose, California; Research Triangle Park, North Carolina; Sydney, Australia;
Halifax, Nova Scotia; Tokyo, Japan; or Brussels, Belgium, you might
need to add travel costs to this figure.
The CCIE Skills
The CCIE Router and Switching exam includes the advanced technical skills
that are required to maintain optimum network performance and reliability,
as well as advanced skills in supporting diverse networks that use disparate
technologies. CCIEs have no problems getting a job. These experts are basically inundated with offers to work for six-figure salaries! But thats because
it isnt easy to attain the level of capability that is mandatory for Ciscos
CCIE. For example, a CCIE will have the following skills down pat:
www.sybex.com
Introduction
xxvii
Design simple routed LAN, routed WAN, and switched LAN and
ATM LANE networks.
Size networks.
The Sybex CCDA Study Guide is the most cost-effective way to study for and
pass your CCDA exam.
www.sybex.com
xxviii
Introduction
Performance considerations, including required hardware and software, switching engines, memory, cost, and minimization.
www.sybex.com
Introduction
xxix
www.sybex.com
xxx
Introduction
SNA networking and mainframes are covered in Chapter 10. This chapter
introduces the ways to integrate SNA networks into modern, large-scale
routed environments, using technologies including STUN, RSRB, DSLW+,
and APPN.
Chapter 11 focuses on security as a component of network design. This
includes the placement and use of firewalls and access lists in the network.
Chapter 12 summarizes the text and provides an overview of the network
management.
Chapter 13 departs from the somewhat dated CID exam objectives and
introduces a few of the more current issues and challenges facing modern
network designers. This section covers IP multicast, VPN technology, and
encryption.
Within each chapter there are a number of sidebars titled Network
Design in the Real World. This material may either augment the main text
or present additional information that can assist the network designer in
applying the material. Each chapter ends with review questions that are specifically designed to help you retain the knowledge presented.
Weve included an objective map on the inside front cover of this book that
helps you find all the information relevant to each objective in this book. Keep
in mind that all of the actual exam objectives covered in a particular chapter
are listed at the beginning of that chapter.
number is 640-025.)
2. Register with the nearest Sylvan Prometric Registration Center. At this
point, you will be asked to pay in advance for the exam. At the time
of this writing, the exams are $100 each and must be taken within one
www.sybex.com
Introduction
xxxi
Arrive early at the exam center, so you can relax and review your
study materials.
www.sybex.com
xxxii
Introduction
the information and the test objectives listed at the beginning of each
chapter.
2. Answer the review questions related to that chapter. (The answers are
in Appendix A.)
3. Note the questions that confuse you, and study those sections of the
book again.
4. Before taking the exam, try your hand at the practice exams that are
included on the CD that comes with this book. Theyll give you a complete overview of what you can expect to see on the real thing. Note
that the CD contains questions not included in the book.
5. Remember to use the products on the CD that is included with this
book. Visio, EtherPeek, and the EdgeTest exam-preparation software have all been specifically picked to help you study for and pass
your exam.
To learn all the material covered in this book, youll have to apply yourself regularly and with discipline. Try to set aside the same time period
www.sybex.com
Introduction
xxxiii
every day to study, and select a comfortable and quiet place to do so. If you
work hard, you will be surprised at how quickly you learn this material. All
the best!
www.sybex.com
Assessment Test
1. A LANE installation requires what three components?
2. In modern networks, SNA is a disadvantage because of what
limitation?
3. The native, non-routable encapsulation for NetBIOS is _______.
4. The FEP runs VTAM. True or false?
5. Switches operate at ______ of the OSI model.
6. ATM uses ________ in AAL 5 encapsulation.
7. Clients locate the server in Novell networks by sending a _________
request.
8. Most network management tools use ______ to communicate with
devices.
9. The address 127.50.0.14 is part of what class?
10. The formula for determining the number of circuits needed for a full-
applications.
12. An IP network with a mask of 255.255.255.252 supports how many
www.sybex.com
Assessment Test
xxxv
_______.
22. Multilink Multichassis PPP uses what proprietary protocol?
23. Hub-and-spoke networks could also be called ________.
24. What datagrams are typically forwarded with the ip helper-address
command?
25. Type 20 packets are used for what function?
26. A user operates a session running on a remote workstation or server
__________.
www.sybex.com
xxxvi
Assessment Test
32. What are L2TP, IPSec, and L2F typically used for?
33. TACACS+ and RADIUS provide what services?
34. What is an FEP?
35. For voice, video, and data integration, designers should use which
WAN protocol?
36. What is the default administrative distance for OSPF?
37. Network monitoring relies on what protocol?
38. What is a connection via dial-up, ISDN, or another technology that
www.sybex.com
Assessment Test
See Chapter 3.
10. N * (N1) / 2. See Chapter 8.
11. A single. See Chapter 9.
12. Two. See Chapter 3.
13. Two B channels of 64Kbps each and one D channel of 16Kbps.
See Chapter 9.
14. Token Ring. See Chapter 10.
15. Improved. See Chapter 10.
16. Link-state. See Chapter 4.
17. Cable-range. See Chapter 5.
www.sybex.com
xxxvii
xxxviii
Assessment Test
www.sybex.com
Assessment Test
www.sybex.com
xxxix
Chapter
Introduction to Network
Design
CISCO INTERNETWORK DESIGN EXAM
OBJECTIVES COVERED IN THIS CHAPTER:
Demonstrate an understanding of the steps for designing
internetwork solutions.
Analyze a clients business and technical requirements and
select appropriate internetwork technologies and topologies.
Construct an internetwork design that meets a clients
objectives for internetwork functionality, performance,
and cost.
Define the goals of internetwork design.
Define the issues facing designers.
List resources for further information.
Identify the origin of design models used in the course.
Define the hierarchical model.
www.sybex.com
etwork design is one of the more interesting facets of computing. While there are many disciplines in information technology, including help desk, application development, project management, workstation
support, and server administration, network design is the only one that
directly benefits from all these other disciplines. It incorporates elements of
many disciplines into a single function. Network designers frequently find
that daily challenges require a certain amount of knowledge regarding all of
the other IT disciplines.
The network designer is responsible for solving the needs of the business
with the technology of the day. This requires knowledge of protocols, operating systems, departmental divisions in the enterprise, and a host of other
areas. The majority of network design projects require strong communication skills, leadership, and research and organizational talents. Project management experience can also greatly benefit the process, as most network
design efforts will require scheduling and budgeting with internal and external resources, including vendors, corporate departments, service providers,
and the other support and deployment organizations within the enterprise.
This text will both provide an introduction to network design and serve
as a reference guide for future projects. Its primary purpose is to present the
objectives for the CCDP: Cisco Internetwork Design examination and to
prepare readers to pass this certification test. However, it would be unfortunate to read this book only in the context of passing the exam. A thorough
understanding of network design not only assists administrators in troubleshooting, but enables them to permanently correct recurrent problems in the
network. An additional perk is the satisfaction that comes with seeing a network that you designed and deployedespecially a year later when only
minor modifications have been needed and all of those were part of your
original network design plan.
www.sybex.com
t has been stated that network design is 50 percent technology, 50 percent diplomacy, and 50 percent magic. While written examinations will
likely ignore the last item, mastery of the first two is critical in exam
preparation.
In actuality, network design is simply the implementation of a technical
solution to solve a nontechnical problem. Contrary to expectations, network
design is not as basic as configuring a router, although we will address this
critical component. Rather, as presented in this first chapter, network design
is a multifaceted effort to balance various constraints with objectives.
Network design encompasses three separate areas: conception, implementation, and review. This chapter will elaborate on these areas and
expand the scope of each. Its important to remember that each phase is
unique and requires separate attention. The final phase of network design
reviewis perhaps more important than any other phase, as it provides
valuable information for future network designs and lessons for other
projects. Readers should consider how they might design networks deployed
with the technology referenced in this textthe easiest methodology is to
establish a list of metrics from which to make a comparison. Designers who
meet the original metrics for the project usually find that the network is successful in meeting the customers needs.
Each design, whether the simple addition of a subnet or the complete
implementation of a new international enterprise network, must address the
same goals: scalability, adaptability, cost control, manageability, predictability, simplicity of troubleshooting, and ease of implementation. A good
design will both address current needs while effectively accommodating
www.sybex.com
Chapter 1
future needs. However, two constraints limit most designs ability to address
these goals: time and money. Typical network technology lasts only 24 to 60
months, while cabling and other equipment may be expected to remain for
over 15 years. The most significant constraint, though, will almost always be
financial.
The actual expected life of a cable plant is subject to some debate. Many networks are already coming close to the 15-year mark on the data side, and the
voice side already has upwards of 60 years. The trend has been for copper
cable to have some built-in longevity, and such efforts as Digital Subscriber
Line (DSL), Category 5E, and Gigabit Ethernet over copper are solid evidence
that corporations will continue to regard this copper infrastructure as a longterm investment.
With that said, lets focus on some of the theory behind network designs.
Scalability
Scalability refers to an implementations ability to address the needs of an
increasing number of users. For example, a device with only two interfaces
will likely not provide as much service and, therefore, not be as scalable as
a device with 20. Twenty interfaces will likely cost a great deal more and will
undoubtedly require greater amounts of rack space, and so scalability is
often governed by another goalcontrolling costs. Architects are often challenged to maintain future-proof designs while maintaining the budget.
www.sybex.com
Factors that augment scalability include high-capacity backbones, switching technology, and modular designs. Additional considerations regarding
scalability include the number of devices in the network, CPU utilization,
and memory availability. For example, a network with one router is likely to
be less scalable than a network with three, even if the three routers are substantially smaller than the one.
Adaptability
While similar to scalability, adaptability need not address an increase in the
number of users. An adaptable network is one that can accommodate new
services without significant changes to the existing structure, for example,
adding voice services into the data network. Designers should consider Asynchronous Transfer Mode (ATM) where the potential for this adaptive step
exists. For example, the possibility of adding voice service later would negate
the use of Fiber Distributed Data Interface (FDDI) in the initial network
design. Making this determination requires a certain amount of strategic
planning, rather than a purely short-term tactical approach, and could therefore make a network more efficient and cost-effective. However, this section
is not intended to advocate the use of any specific technology, but rather to
show the benefits of an adaptable network.
Adaptability is one aspect of network design where using a matrix is beneficial. A matrix is a weighted set of criteria, designed to remove subjectivity
from the decision-making process. Before reviewing vendors and products, a
designer will typically work with managers, executives, and others to construct a matrix, assigning a weight to each item. While a complete matrix
should include support and cost, a simple matrix could include only the
adaptability issues. For example, the use of variable-length subnet masks
might be weighted with a five (on a scale from one to five), while support for
SNMP (Simple Network Management Protocol) v.3 might only garner a
weight of one. Under these conditions, the matrix may point to a router that
can support Enhanced Interior Gateway Routing Protocol (EIGRP) or Open
Shortest Path First (OSPF) over one with a higher level of manageability,
assuming that there is some mutual exclusivity.
www.sybex.com
Chapter 1
Cost Control
Financial considerations often overshadow most other design goal elements.
If costs were not an issue, everyone would purchase OC-192 SONET (Synchronous Optical Network) rings for their users with new equipment
installed every three months. Clearly this is not the real world. The network designers role is often similar to that of a magicianboth must frequently pull rabbits from their hats, but the network designer has the added
responsibility of balancing dollars with functions. Therefore, the designer is
confronted with the same cost constraints as all other components of a business. The fundamental issue at this point must be how to cope with this limitation without sacrificing usability. There are a number of methods used in
modern network design to address this problem.
First, many companies have a network budget linked to the IT (Information Technology) department. This budget is typically associated with such
basic, general services as baseline costswiring, general desktop connectivity, and corporate access to services such as the Internet. There is typically
also a second source of funding for the IT department from project-related
work. This work comes in the form of departmental requests for service
beyond the scope of general service. It may involve setting up a workgroup
server or lab environment, or it may involve finding a remote-access solution
so that the executives can use a newer technologyDSL, for example. These
projects are frequently paid for by the requesting department and not IT. In
such cases, the requesting department may even cover costs that are not
immediately related to its project. In the DSL project, for example, few companies would argue with the logic of setting up a larger scalable installation
to address the needs of the few executives using the first generation of the service. It may be possible to have the requesting department fund all or part of
a more-expensive piece of equipment to avoid a fork-lift upgrade in the
future. (A fork-lift upgrade is one that requires the complete replacement of
a large componenta chassis, for example.) Even if IT may need to fund a
portion of the project, this is usually easier than funding the entire effort.
Second, a good network design will include factors that lend themselves
to scalability and modularity. For example, long-range (strategic) needs may
prompt the conversion of an entire network to new technologies, while
immediate needs encompass only a small portion of such a project. By
addressing tactical needs with an eye toward the strategic, the network
designer can accomplish two worthy goalsa reduction in costs and the creation of an efficient network. In reality, the costs may not be reduced; in fact,
www.sybex.com
the costs will likely rise. However, such costs will be amortized over a longer
period of time, thus making each component appear cost effective. Such an
undertaking is best approached by informing management of the schedule
and long-range plan. Budgets frequently open up when a long-term plan is
presented, and designers always want to avoid having a budget cut because
a precedent was set by spending too little in the previous year.
The third approach to balancing network cost with usability is to buy
cheaper components. A brief word of advice: avoid this approach at all costs.
The net impact is that additional resources are required for support, which
erodes any apparent savings.
The last approach is to use a billing model. Under this model, all purchases are pooled and then paid for by the other departments. This method
can be quite limiting or quite fair, depending on its implementation. Such a
model does away with the problem caused by concurrent usage but may
leave the IT group with no budget of their own.
Concurrent Usage
Concurrent usage is an interesting concept in network design, as it ignores
most other concerns. Imagine that the IT department has a single spare slot
on its router and another department (Department A) wants a new subnet.
One approach would be to have Department A purchase the router card and
complete the project. However, this approach fails to consider the next
request. A month later, another department (Department B) wants the same
special deal on a new network segment, but, alas, there are no open slots.
Department B would need to pay for a new router, power supplies, rack
space, wiring, maintenance, and so forth. Department A may have paid
$2,000 for their segment, but Department B will likely generate a bill for ten
times that figure. Of course, Department C, making their request after
Department B, would benefit from Department Bs generositytheir new
segment would cost only $2,000, since there would now be a number of
open slots.
Another solution is to fund all network projects from a separate ledger
no department owns the interface or equipment under this model. Unfortunately, this solution often leads to additional requestsit is always easier to
spend someone elses money. Bear in mind that this solution focuses only on
the technical costs. If the designer is asked to spend 30 hours a week for six
months on a single departments effort, there will likely be additional
expenses.
www.sybex.com
Chapter 1
With all of these approaches, the goal is to obtain the largest amount of
funding for the network (within the constraints of needs) and then to stretch
that budget accordingly. There will likely be points in the design that have
longer amortization schedules than others, and this will help to make the
budget go further. For example, many corporations plan for the cable plant
to last over fifteen years (an optimistic figure in some cases), so you shouldnt
skimp on cabling materials or installation. Such expenses can be amortized
over a number of years, thus making them appear more cost effective. Plus,
a few pennies saved here will likely cost a great deal more in the long run.
Ultimately, its best to try and work with the business and the corporate culture to establish a fair method for dealing with the cost factors.
www.sybex.com
A significant amount of this material is written in the context of large corporations and enterprise-class businesses. In reality, the concepts hold true for even
the smallest companies.
www.sybex.com
10
Chapter 1
t this point, most readers preparing for the CID examination are
undoubtedly well versed in the OSI (Open Systems Interconnection) model
for network protocols.
If you need additional information regarding the OSI model and its relationship to the networking protocols, please consult one of the many texts on the
subject, including the Sybex Network Press publications.
www.sybex.com
11
This model (the OSI model) explains the functions and relationships of
the individual protocols. Similarly, a number of other network design models have been established. Most of these models now focus on a single threetier methodology. This approach preserves many of the criteria necessary for
effective network design and will be presented later in this chapter.
Recall that the OSI model provides benefits in troubleshooting because
each layer of the model serves a specific function. For example, the network
layer, Layer 3, is charged with logical routing functions. The transport layer,
Layer 4, is atop Layer 3 and provides additional services. In the TCP/IP
world, Layer 3 is served by IP, and Layer 4 is served by TCP (Transmission
Control Protocol) or UDP (User Datagram Protocol).
As a humorous aside, some network designers have added two additional layers to the OSI modelLayer 8, which refers to the political layer, and Layer 9,
which represents the financial one. These layers are particularly appropriate
in the context of this chapter.
he flat network may assume many forms, and it is likely that most
readers are very comfortable with this design. In fact, most networks develop
from this model.
www.sybex.com
12
Chapter 1
he traditional star topology typically meets the needs of a small company as it first expands to new locations. A single router, located at the companys headquarters, interconnects all the sites. Figure 1.1 illustrates this
design.
FIGURE 1.1
Router
Router
Location A
Location B
Router
Router
Location C
Location D
www.sybex.com
13
The following list encompasses both the positive and negative aspects of
such a topology, but the negative aspects should be somewhat obvious:
Low scalability
Low cost
Star topologies are experiencing a resurgence with the deployment of private remote networks, including Digital Subscriber Line (DSL) and Frame
Relay solutions. While the entire network will likely mesh into another
model, the remote portion of the network will use the star topology. Note
that the star topology is also called the hub-and-spoke model.
he ring topology builds upon the star topology with a few significant
modifications. This design is typically used when a small company expands
nationally and two sites are located close together. The design improves
upon the star topology, as shown in Figure 1.2.
FIGURE 1.2
Router
Router
Location A
Location B
Router
Router
Location C
Location D
www.sybex.com
14
Chapter 1
As you can see, the ring design eliminates one of the main negative aspects
of the star topology. In the ring model, a single circuit failure will not disconnect any location from the enterprise network. However, the ring topology fails to address these other considerations:
Low scalability
Higher cost
Consider the last bullet item in the list and how the network designer
would add a fifth location to the diagram. This is perhaps one of the most
significant negative aspects of the designa circuit will need to be removed
and two new circuits added for each new location. Figure 1.3 illustrates this
modification. Note that the thin line in Figure 1.3 denotes the ring configuration before Location E was added.
FIGURE 1.3
Router
Router
Location A
Location B
Router
Router
Location C
Location D
Router
Location E
www.sybex.com
15
While the ring topology addresses the redundancy portion of the network
design criteria, it fails to do so in an efficient manner. Therefore, its use is
not recommended.
Router
Router
Location A
Location B
Router
Router
Location C
Location D
Clearly, the full-mesh topology offers the network designer many benefits. These include redundancy and some scalability. However, the full-mesh
network will also require a great deal of financial support. The costs in a full
mesh increase as the number of PVCs (permanent virtual circuits) increases,
which can eventually cause scalability problems.
www.sybex.com
16
Chapter 1
FIGURE 1.5
Router
Router
Location A
Location B
Router
Router
Location C
Location D
www.sybex.com
17
model. This model is sometimes used in metropolitan settings where a number of buildings require connectivity but only two buildings have WAN connectionsthis design reduces total costs yet provides some redundancy. The
two core installations in Figure 1.6 would incorporate the WAN links.
Notice that the two-tier model introduces a single, significant point of
failure: the link between the primary locations. However, if designed for
each side (east/west) to be independent of the other, the model can work
effectively.
This solution works best when both locations have strong support organizations and the expenses associated with complete integration are high.
Because of the limited connectivity between the two primary sites and the
lack of any other connections, this solution typically provides the lowest cost
and is the simplest approach. When a single core location is selected, the
alternate primary location can move to the distribution layer (explained in
the next section) or can provide a distributed core for redundancy.
FIGURE 1.6
Location A
Router
Router
Location C
Router
Router
Location D
Router
Location B
Router
Location E
Location F
www.sybex.com
18
Chapter 1
Core
Layer
Network Core
Router
Router
Router
FDDI Ring
Campus Backbone
Switch
Distribution
Layer
Hub
Access
Layer
Workstation Workstation
Workstation Workstation
Virtually all scalable networks follow the three-tier model for network
design. This model is particularly valuable when using hierarchical routing
protocols and summarization, specifically OSPF, but it is also helpful in
reducing the impact of failures and changes in the network. The design also
simplifies implementation and troubleshooting, in addition to contributing
to predictability and manageability. These benefits greatly augment the functionality of the network and the appropriateness of the model to address
www.sybex.com
19
www.sybex.com
20
Chapter 1
the branches and leaves, the core links all the other sections of the network and thus must have sufficient capacity to move data. In addition, the
core typically connects to the corporate data center via high-speed connections to supply data to the various branches and remote locations.
Manageability Hierarchically designed networks are usually easier to
manage because of these other benefits. Predictable data flows, scalability,
independent implementations, and simpler troubleshooting all simplify the
management of the network.
Table 1.1 provides a summary of the functions defined by the hierarchical
model.
TABLE 1.1
Function
Core
Typically inclusive of WAN links between geographically diverse locations, the core layer is responsible
for the high-speed transfer of data.
Distribution
Usually implemented as a building or campus backbone or a limited private MAN (metropolitan-area network), the distribution layer is responsible for
providing services to workgroups and departments.
Policy is typically implemented at this layer, including
route filters and summarization and access lists. However, the Cisco CID textbook answer for access lists is
to place them in the access layer.
Access
The access layer provides a control point for broadcasts and additional administrative filters. The access
layer is responsible for connecting users to the network and is regarded as the proper location for access
lists and other services. However, network designers
will need to compare their needs with the constraints
of the modelit may make more sense to place an access list closer to the core, for example. The rules regarding each model are intended to provide the best
performance and flexibility in a theoretical context.
www.sybex.com
21
Distribution
Layer
Access
Layer
www.sybex.com
22
Chapter 1
FIGURE 1.9
Enterprise
Location
A
Router
Router
Network
Core
Enterprise
Location
B
Router
Enterprise
Location
C
Throughout this chapter the distribution and access layers are noted to be
acceptable locations for access lists. This placement depends on the function
of the list in question and the reduction in processing or administration that
the placement will cause. Generally access lists are not included in the core
layer, as historically this placement has impacted router performance substantially. The goal is to limit the number of lists required in the network and
to keep them close to the edge, which encourages access-layer placement.
However, given the choice of implementing 50 access-layer lists or two
distribution-layer lists-all things being equal-most administrators would opt
for fewer update points. Performance issues for ACLs are nowhere as significant as they once were, so this concern, especially with advanced routing
such as NetFlow or multilayer switching, is substantially reduced.
Copyright 2000 SYBEX , Inc., Alameda, CA
www.sybex.com
23
For the purposes of the CID exam, the proper placement of access lists is the
access layer. For production networks, it is acceptable, and sometimes desirable, to place them in the distribution layer. For the CCNA/CCDA small-tomedium business examination, the proper placement of the access lists is
always the distribution layer, which is different than the CID recommendation.
For example, it would be appropriate for a SAP (Service Advertising Protocol) filter to block Novell announcements of printer services at the distribution layer because it is unlikely that users outside of the distribution layer
would need access to them. The textbook answer, however, is to place access
lists at the access layer of the model.
Route summarization and the logical organization of resources are also
well aligned with the distribution layer. A strong design would encompass
some logical method of summarizing the routes in the distribution layer. Figure 1.10 displays the IP (Internet Protocol) addressing and DNS (Domain
Name Service) names for two distribution layers attached to the core. Note
how 10.11.0.0/16 and 10.12.0.0/16 are divided at each router. Thus, routing
tables in the core need only focus on one route, as opposed to the numerous
routes that might be incorporated into the distribution area. In the same
manner, the DNS subdomains are aligned with each distribution layer,
which, along with IP addressing standards, will greatly augment the efficiency of the troubleshooting process. Troubleshooting is simplified when
administrators can quickly identify the location and scope of a network outagea benefit of addressing standards. In addition, route summarization, a
concept presented in Chapter 4, can help avoid recalculations of the routing
table that might lead to problems on lower-end routers.
The final advantage of using this distribution layer design in the three-tier
model is that it will greatly simplify OSPF configurations. The network core
becomes a natural area 0, while each distribution router becomes an area
border router between area 0 and other areas.
www.sybex.com
24
Chapter 1
FIGURE 1.10
Network Core
10.11.0.0/16
alpha.corp.com
Router
Router
Workgroups
Access
Layer
Alpha
Workgroups
Access
Layer
Beta
10.12.0.0/16
beta.corp.com
Designers should use the distribution layer with an eye toward failure scenarios as well. Ideally, each distribution layer and its attached access layers
should include its own DHCP (Dynamic Host Configuration Protocol) and
WINS (Windows Internet Naming Service) servers, for example. Other critical network devices, such as e-mail and file servers, are also best included in
the distribution layer. This design promotes two significant benefits. First, the
distribution layer can continue to function in the event of core failure or
other concerns. While the core should be designed to be fault-tolerant, in
reality, network changes, service failures, and other issues demand that the
designer develop a contingency plan in the event of its unavailability. Second, most administrators prefer to have a number of servers for WINS and
DHCP, for example. By placing these services at the distribution layer, the
number of devices is kept at a fairly low number while logical divisions are
established, all of which simplify administration.
www.sybex.com
25
maintained at the access layer. For example, dial-in services would be connected to an access layer point, thus making the users all part of a logical
group. Depending on the network's overall size, it would likely be appropriate to place an authentication server for remote users at this point, although
a single centrally located server may also be appropriate if fault tolerance is
not required. It is helpful to think of the access layer as a leaf on a tree. Being
furthest from the trunk and attached only via a branch, the path between any
two access layers (leaves) is almost always the longest. The access layer is
also the primary location for access lists and other security implementations.
However, as noted previously, this is a textbook answer. Many designers use
the distribution layer as an aggregation point for security implementations.
www.sybex.com
26
Chapter 1
FIGURE 1.11
Network Core
Router
Router
Network Distribution
Layer
Router A
Router
Switch
Router B
Network Distribution
Layer
Router
Switch
Hub
Hub
Workstations
Workstations
www.sybex.com
27
including route once/switch many technologies and server farms have altered
the 80/20 rule in many designs. The Internet and other remote services have
also impacted these criteria. While it is preferable to keep traffic locally
bound, in modern networks it is much more difficult to do so, and the benefits are not as great as before.
While the 80/20 rule does remain a good guideline, it is important to note
that most modern networks are confronted with traffic models that follow
the corollary of the 80/20 rule. The 20/80 rule acknowledges that 80 percent
of the traffic is off the local subnet in most modern networks. This is the
result of centralized server farms, database servers, and the Internet. Designers should keep this fact in mind when designing the networksome installations are already bordering on a 5/95 ratio. It is conceivable that less than
five percent of the traffic will remain on the local subnet in the near term as
bandwidth availability increases.
www.sybex.com
28
Chapter 1
groups. Later in this text the issues of spanning tree and Layer 3 designs will
be presentedthey relate well to this policy.
Note that this guideline also incorporates a separation of the broadcast
and collision domains. Network design model layers cannot be isolated by
only collision domainsa function of Layer 2 devices, including bridges and
switches. The layers must also be isolated via routers, which define the borders of the broadcast domain.
What Problem?
New networks are typically deployed to solve a business problem. Since
there is no legacy network, there are few issues regarding the existing infrastructure to address. Existing networks confronted by a potential upgrade
are typically designed to resolve at least one of the problems discussed below,
under Considerations of Network Design.
www.sybex.com
29
Future Needs?
It is unlikely that anyone with the ability to accurately predict the future
would use such ability to design networks. Ignorance is a likely enemy of
efforts to add longevity to the network design. An assessment of future needs
will incorporate a number of areas that will help augment the lifespan of the
network, but success is frequently found in gut feelings and overspending.
Network Lifespan?
Many would classify this topic as part of the future needs assessment; however, it should be viewed as a separate component. The lifespan of the network should also not be viewed in terms of a single span of time. For
example, copper and fiber installations should be planned with at least a 10year horizon, whereas network core devices that remain static for more than
36 months are rare. Given these variations, it is important to balance the
costs of each network component with the likelihood that it will be replaced
quickly. Building in expandability and upgradability will affect the lifespan
of a network installed today. Designers should always consider how they
might expand their designs to accommodate additional users or services
before committing to a strategy.
Excessive Broadcasts
Recall that broadcasts are used in networking to dispatch a packet to all stations on the network. This may be in the form of an Address Resolution Protocol (ARP) query or a NetBIOS name query, for example. All stations will
www.sybex.com
30
Chapter 1
listen and accept broadcast packets for processing by an upper-layer processthe broadcast itself is a Layer 2 process.
While the broadcast packet is no larger than any other packet on the
media, it is received by all stations. This results in every station halting the
local process to address the packet that has been forwarded from the network interface card. This added processing is very inefficient and, for the
majority of stations, unnecessary.
A general network design guideline says that 100 broadcasts per second
will reduce the available CPU on a Pentium 90 processor by two percent.
Note that this figure does not compare the percentage of broadcasts on the
network to user data (typically unicast). While most modern networks are
now using much more powerful processors and larger amounts of bandwidth per workstation, broadcasts are still an area warranting control by the
network designer and administrator.
There are two methods for controlling broadcasts in the network. Routers
control the broadcast domain. Thus, a router could be used to divide a single
network into two smaller ones. This would theoretically reduce the number
of broadcasts per segment by 50 percent. This technique would also affect
bandwidth and media contention, so it might be the correct solution. However, its now much easier to use a router to reduce broadcasts. In reality, the
total number of broadcasts will almost always increase when using two networks instead of one. This is due to the nature of the upper-layer protocols.
For example, a single network could use a single Service Advertising Protocol (SAP) packet (Novell), whereas a dual network installation will require
at least two. The number of broadcasts per network will decrease, but not by
50 percent.
Another method for controlling broadcasts is to remove them at the
sourcetypically servers and, to a lesser extent, workstations. This is one
aspect of network design that greatly benefits from the designer having a
detailed knowledge of both protocols and operating systems. For example,
Apple computer has offered an IP-based solution for its traditional AppleTalk networks for a long time. Implementation of this service would greatly
reduce the number of broadcasts in the network for a number of reasons,
including the elimination of an entire protocol and AppleTalks intensive use
of broadcasts. Assuming that most workstations are also running IP for
Internet connectivity, this design could easily be incorporated into the network. Removing AppleTalk provides two benefitsa reduction in background broadcasts compared with IP and in the amount of overhead
demanded by the network.
www.sybex.com
31
Security
Security is one of the overlooked components of network design. Typically,
the security procedures and equipment are added to the network well into the
implementation phase. This usually results in a less-secure configuration that
demands compromises. For example, access lists are one component of network security. Assuming a hierarchical design, if the network designers were
to use bit boundaries to define security domains, a single access-list wildcard
mask could be used in different areas of the network. In addition, extranet
(non-internal) connections could be placed in a secure, centralized location,
freeing greater bandwidth for the rest of the enterprise. This design contrasts
with installations where these connections are distributed throughout the
network. While centralization may lead to more significant outages, it is
often easier to administer resources in a protected, central location close to
the support organization.
www.sybex.com
32
Chapter 1
Consider for a moment a fairly benign network design decision. A company elects to deploy an ATM WAN for a new network upgrade. The network requires some security, because the data is privileged and involves
financial information. Rather than isolating extranet connections, the company decides to place these less-secure links on the same physical interface as
their internal connections. While this setup can work, think about the limitations that such a design would impose on security. The designer would be
unable to restrict the PVC before the circuit entered the core router, thus
making the only line of defense a subinterface access list. Denial-of-service
attacks and other intrusion techniques would be much more likely than if the
extranet PVC were isolated from the enterprise network by a separate router
and a firewall.
Having identified security as a design consideration, the designer must
evaluate the role of the network in the security model. There is little question
that firewalls and bastion hosts (a bastion host is a secure public presence
it may be the firewall itself or a server in the transition area between the public and private networks, also called a DMZ) are part of the network, but
some schools of thought argue that the network, in and of itself, is not a security device. While there are compelling arguments to support the stance that
the network is not a security solution, most designers take a simpler view of
security. In practical terms, anything that can protect the data in the networkbe it a lock on a door, an access list, or the use of fiber instead of copperis part of an overall solution and should be considered in the design of
the network.
Some of the tools available to the network architect are:
Fiber links
Firewalls
Access lists
Bastion hosts
Encryption
Accounting
Auditing tools
www.sybex.com
33
Addressing
Addressing issues frequently involve the IP protocol, which uses user-defined
addresses. Many networks evolved without regard to the strategic importance of the infrastructure. In addition, corporations occasionally acquire
another organization, resulting in the duplication of network addresses even
with careful planning. Whatever the cause, readdressing IP addresses is a significant process in the life of the network. And while DHCP, NAT, and
dynamic DNS can reduce the impact, there will likely be a point where some
determined effort is necessary.
Subsequent chapters will discuss the art of network readdressing; however, there are a few points that should be presented here. First, plan for connectivity to other companies and the Internet. Second, consider the impact of
readdressing on the corporations servers and workstations and have a plan
in mind on how to deploy any remedial effort. Third, know the limitations
of the various tools that would be used in readdressing, including the fact
that NAT cannot cope with NetBIOS traffican important function of the
Windows and OS/2 operating systems. Chapter 7 presents the NetBIOS protocol in detail. In addition, designers will need to consider the use of RFC
1918 addressesa collection of addresses specifically reserved from appearing on the Internet. Finally, consider the impact of the classful network
address and the routing protocols that you might need.
Dont be concerned if some of the issues presented here are new. In later
chapters they will be presented in greater detail.
Bandwidth
There are two schools of thought regarding bandwidth in network design.
The first believes that the network is built to withstand peaks and then some.
Historically, this has resulted in throwing bandwidth at poor application
www.sybex.com
34
Chapter 1
Percentage
30
25
20
15
10
5
:0
23
:0
22
:0
21
:0
20
:0
19
:0
18
:0
17
:0
16
:0
15
:0
14
:0
13
:0
12
:0
11
00
:0
10
00
9:
00
8:
00
7:
00
6:
00
5:
00
4:
00
3:
00
2:
1:
00
0
0:
FIGURE 1.12
Hour
www.sybex.com
35
be the perfect solution, but only if consideration is given to cost and overhead. For example, many companies jumped on the ATM LANE (LAN
Emulation) platform for backbone technology in the late 1990s. While a
good solution, LANE greatly adds to the cost of the network and the overhead associated with it. Gigabit Ethernet and other technologies may provide better solutions, equal or greater bandwidth, and lower cost. Of course,
if voice and other services geared toward ATM are needed, the effort may be
warranted.
New Payloads
Networks are frequently called upon to supply services beyond those originally anticipated. Not that long ago, video and voice over data networks
(LAN systems) were costly and lacked sufficient business drivers for implementation. As the technology advances, more and more firms are exploring
these services.
In addition, there may be enhancements to existing systems that greatly
add to the networks burden. Consider a simple database that contains the
names and addresses of a companys customers. Each record might average
2,000 charactersless than 10,000 bits, including overhead. When the database is enhanced to include digital images of the customers and their homes
in addition to a transcript of their previous five calls, it is easy to see the
potential impact. What was 2,000 characters may exceed 2 million, possibly
resulting in millions of bits per transaction. No protocol was added to the
network nor were additional users placed in the switch, but the impact
would greatly tax even the best designs.
Configuration Simplification
One of the most significant costs in the network results from the move, add,
and change (MAC) process. This process refers to the effort involved in
installing new users onto the network or changing their installation. The
MAC process also includes the relocation of users and their systems.
Various studies have been conducted to measure the true cost of MAC
efforts, directly related to both the network costs and the lost productivity of
the workers affected. Given that employees may earn $50 an hour on average, a half-day move of even 20 employees will cost $4,000 in lost productivity, not including the impact on non-moved workers. Add the cost of
www.sybex.com
36
Chapter 1
wiring, configuring, installing, and relocating workstations and other systems, and the cost jumps significantly. With the average worker moving 1.1
times per year (according to some surveys from 1997), it is easy to see how
this minor cost would quickly impact the finances of the company.
To address these costs, vendors have added features to simplify and accelerate the MAC process. These may include the use of VLAN/ELAN technology (Virtual LANs/Emulated LANs) and DHCP, for example. DHCP is
a dynamic method for assigning IP addresses to workstations. The designer
should consider these features in any new design and use any cost savings to
help offset the initial costs against the recurring costs.
Protocol Scalability
Protocol scalability refers to a protocols ability to service increasingly larger
numbers of nodes and users. As an example, IP is capable of servicing millions of users with careful planning and design. AppleTalk, in contrast, does
not scale well due to the chatty nature of the protocol and its use of broadcasts and announcements to inform all devices in the network about all other
resources. IPX/Novell and NetBIOS share these limitations. Keep in mind
that scalable protocols are frequently routablethey contain a Layer 3
address that routers can use for logical grouping. This address further groups
and segments systems for efficiency.
Business Relationships
If there is one aspect of network design that overshadows all others, it would
have to be the integration of the business objective with the implementation.
Consider these scenarios for a moment. A network is designed to carry
datadata that is increasingly critical to a business. In addition, this business funds the network equipment and implementation. A similar scenario
may involve a small home network. In preparing for a Cisco examination, an
administrator creates a small lab with the objective of passing the test. Or the
home user wishes to establish a LAN for sharing a printer and some files. On
a grander scale, an international corporation uses networks to exchange data
with business partners and workgroups alike. In each scenario, each of these
groups is choosing to spend money on a network in the hope that the initial
costs will be offset by the improvements in productivity or increased sales.
Business types refer to this as opportunity cost, and network designers
should use this term as well.
www.sybex.com
37
There are really two types of business relationships that involve network
designers. The first presents itself in the form of the requester. The requester
may be the administratorperhaps a technical benefit has been identified
with respect to changing routing protocols. It is more likely that the request
originates with the business itself, however. Such a request might appear in
the form of a need to transfer billing information to a financial clearinghouse
or configuring a system to permit salespeople to access their e-mail on the
road. Whatever the request, the components of implementation remain
fairly consistent. Cost, compatibility, security, supportability, and scalability
all enter into the equation, and each of these will impact different business
units differently.
There have been many incredible network designs presented to CIOs and
presidents of large corporations. Of all these designs, only a handful are
actually implemented. Only those network designs that reflect an understanding of a companys business needs and objectives are worthy of implementationat least from a textbook perspective. For example, consider a
simple request for a connection to the Internet. From a technical perspective,
a design using OC-48 might be just as valid as a connection using ISDN
(Integrated Services Digital Network) or ADSL (Asymmetric Digital Subscriber Line). Yet few would consider placing a 100,000-person company on
a single ISDN BRI (Basic Rate Interface) or purchasing a SONET ring for a
small school. Designing a network without an understanding of the objective(s) is folly at best.
So, what is a business relationship and how does it fit into the design of
a network or the preparation for an examination? Well, the truth is that this
is a hard question to prepare for, even though network designers are confronted with this challenge each and every day. This is why such a seemingly
simple topic requires so much attention.
A business relationship ideally begins before a project is conceived and
involves a bit of cooperation. Many companies place an information specialist in at least one departmental meeting each week to ask questions at the
same time the business challenge is addressed. This also affords the opportunity to provide as much warning as possible to the network, server, and
workstation groups (assuming that they are different). The relationship may
take on an informal tonethere is nothing wrong with obtaining information about the Marketing departments newest effort during the company
volleyball game, as an example. The objective remains the same: to provide
as much assistance to the business as early in the process as possible.
www.sybex.com
38
Chapter 1
www.sybex.com
39
ordered well in advance.) This flow chart concentrates solely on the technical
aspects. Keeping that in mind, lets examine each step in more detail.
1. Analyze the network requirements. The requirements analysis process
should include a review of the technical (both technology and administrative) components, along with the business needs assessment.
2. Develop an internetwork structure. Composing a network structure
Distribution
Layer
Access
Layer
www.sybex.com
40
Chapter 1
FIGURE 1.15
Enterprise
RFC 191810.0.0.0/8
Site 1
10.1.0.0/16
Core
Layer
Network Core
Router
Router
Building 1
10.1.16.0/20
FDDI Ring
Campus Backbone
Router
Distribution
Layer
Building 2
10.1.24.0/20
Switch
Hub
Access
Layer
Workstation Workstation
Workstation Workstation
host.bldg1.xyz.com
host.bldg2.xyz.com
ware have already been selected. For the project to move forward, an
order would need to be placed at this phase. The selection and configuration of components should include cabling, backbone, vertical and
horizontal wiring, routers, switches, DSU/CSUs (data service units/
channel service units), remote-access services, ISP/Internet providers,
and private WAN telecommunication vendors.
5. Add new features. The flow chart classifies this fifth step as adding
www.sybex.com
41
6. Implement, monitor, and maintain the network. The final step is really
Lets walk through a simple network design process. Do not be concerned if you are unfamiliar with the specific technologies noted in this scenariothe actual details are unimportant. However, a good designer should
always have a list of technologies to research and learn, and you may wish
to add the unfamiliar components to your list.
The Sales department has requested a DSL-based solution for their team.
One of the senior sales executives has read articles touting the benefits of
DSL, which has led to this request. Users will want access to corporate data
and the Internet at high speeds. In addition, users may be at home, at a clients site, or in a hotel. The budget for the project is undefined; however, you
are told that there will be funding for whatever it takes.
Stop for a moment and consider the different factors and issues associated
with this request. List some of the questions that should be answered.
Here is a short list of preliminary questions:
Note that some of these questions will not have an answer, or the answer
will be vague.
www.sybex.com
42
Chapter 1
The designer will have to make some interesting decisions at this point.
The requirement for high-speed access from client sites and hotels is one
issue. DSL requires a pre-installed connection. It is not widely available,
unlike POTS (plain old telephone service), and is either configured as private
(similar to Frame Relay in which companies share switches and other components, while PVCs keep traffic isolated) or public, which usually connects
to an ISP and the Internet. An immediate red flag would be the lack of DSL
availability in remote locations. Note that the request specified DSL. Why?
Is it because the technology is needed or because it is perceived as newer, better, and faster?
Depending on the answers, it may still make sense to use DSL for the
home. However, the design will still fail to address the hotel and customer
sites. Perhaps a VPN (Virtual Private Network) solution with POTS, ISDN,
and DSL technologies would work. This solution may include outsourcing
or partnering with an ISP (Internet Service Provider) in order to implement
the design. Note that at no point in the process have routing protocols, hardware components, support, or actual costs been discussed. These factors
should be considered once the objectives for the project have been defined.
www.sybex.com
43
This problem begs a nontechnical solution, especially since the costs for a
technical solution, even for Frame Relay, would be very high. As a variation
on SneakerNet, why not propose FedExNet? (SneakerNet was one of the
most popular network technologies ever usedusers simply walked floppies and files to recipients.) It is important to consider the alternativesin
this case the requirements did not mandate a technical solution, just a solution. A CD-ROM or tape would easily contain the data, and, at current tariffs,
the cost would be less than 1/20th the technical solution. It may not appear
as glamorous, but it is secure and reliable. Note these last two points when
considering an Internet-based solution, which would also be cheaper than
private Frame Relay.
This chapter has already touched upon cost as a significant factor in network design, and the majority of these costs are associated with the telecommunications tariff. The tariff is the billing agreement used, and, like
home phone service, most providers charge a higher tariff for long-distance
and international calls than they do for local ones. Designers should always
consider the distance sensitivity and costs associated with their solutions
Frame Relay is typically cheaper than a leased line, for example.
www.sybex.com
44
Chapter 1
Summary
Excessive broadcasts
Media contention
Security
Addressing
Bandwidth
New payloads
Configuration simplification
www.sybex.com
Summary
Protocol scalability
Business relationships
www.sybex.com
45
46
Chapter 1
Review Questions
1. A small, four-location network might use which of the following net-
work designs?
A. A star topology
B. A ring topology
C. A full-mesh topology
D. A star/mesh topology
E. A mesh/ring topology
2. Which of the following are considerations of a good network design?
A. Security
B. Control of broadcasts
C. Bandwidth
D. Media contention
E. All of the above
3. Place the following in chronological order:
A. Develop an internetwork structure
B. Analyze the network requirements
C. Add new features
D. Implement, monitor, and maintain the network
E. Configure standards
4. Why do network designers use the three-tier model?
A. It lends itself to scalable network designs.
B. It costs less to implement three-tier networks.
C. Without three tiers, networks cannot be secured.
D. Business considerations are impossible to integrate without three
tiers.
www.sybex.com
Review Questions
47
the root?
A. The core
B. The distribution layer
C. The access layer
D. DNS domains do not map to network layers.
www.sybex.com
48
Chapter 1
www.sybex.com
Review Questions
49
13. Access lists might be found at which of the following three-tier model
layers?
A. The core layer
B. The distribution layer
C. The access layer
D. The extranet layer
14. The 80/20 rule states which of the following?
A. That 80 percent of the traffic should leave the local subnet.
B. That 20 percent of the traffic should be in the form of broadcasts.
C. That 20 percent of the traffic should remain local.
D. That 20 percent of the traffic should leave the local subnet.
15. Which of the following would not be included as a good network
design criteria?
A. Low cost
B. Adaptiveness
C. VLSM
D. Scalablility
16. The network design strives to simplify the move-add-change (MAC)
www.sybex.com
50
Chapter 1
design?
A. Size versus features
B. Features versus redundancy
C. Cost versus availability
D. Future capabilities versus scalability
18. Please rate the following designs based on their inherent redundancy.
A. Full mesh
B. Partial mesh
C. Hierarchical
D. Star
19. Hierarchical networks do NOT include which of the following?
A. Three tiers divided with Layer 3 devices
B. Enhanced scalability
C. Easier troubleshooting
D. Fewest hops between end points
20. Based on the model and network characteristics specified in each
tribution layer with two distribution layer routers and one core
and a total of seven routers.
C. Using a ring topology, the network contains seven sites and a total
of seven routers.
D. Using a star (hub-and-spoke) topology, the network contains
www.sybex.com
51
The core should be used only for the rapid transfer of data.
8. A.
Designers should also consider server and workstation tuning as possible solutions. Recall that Layer 2 does not divide the broadcast
domain.
12. D.
13. C.
14. D.
www.sybex.com
52
Chapter 1
15. C.
www.sybex.com
Chapter
Network Design
Technologies
CISCO INTERNETWORK DESIGN EXAM
OBJECTIVES COVERED IN THIS CHAPTER:
List common reasons that customers invest in a campus LAN
design project.
Examine statements made by a client and distinguish the
relevant issues that will affect the choice of campus LAN design
solutions.
Define switches, virtual LANs, and LAN emulation.
Examine a clients requirements and construct an appropriate
switched campus LAN solution.
Define routing functions and benefits.
Examine a clients requirements and construct an appropriate
campus LAN design solution that includes switches and
routers.
Examine a clients requirements and construct an appropriate
ATM design solution.
Construct designs using ATM technology for high-performance
workgroups and high-performance backbones.
Upgrade internetwork designs as the role of ATM evolves.
www.sybex.com
he first chapter of this book focused on the many nontechnical facets of network design. This chapter will depart from the nontechnical
components and begin to develop the technical components.
The technical components of networking include many different elements. All of these elements require consideration by the network designer in
virtually every design. Decisions made in one area can quickly force compromises in another area that may not be fully anticipated. While a full explanation of some of the common issues is beyond the scope of this text (and the
exam), the text will take some steps to identify and address these issues.
The network design technologies include the components of the first three
OSI model layers. Repeaters, hubs, switches, and routers all work in different ways to integrate within the infrastructure. Designers must understand
the differences between these devices and their functions. They must also
consider newer technologies and more complex systems. These may include
ATM, ATM LANE, FastEtherChannel (FEC), GigEtherChannel (GEC), and
VLAN (virtual LAN) trunking. Some vendors are beginning to deploy Layer 5
switching technologya development that may alter design models in future
years.
www.sybex.com
55
Within the context of the current exam, switches are purely Layer 2 devices,
and the integration of routing and other technologies is out of scope unless
explicitly referenced.
Designers should also consider business needs when evaluating technologies and the subsequent changes in direction that occur. While vendors profit
substantially from the purchase of new equipment, the business may not
www.sybex.com
56
Chapter 2
share in the benefits from the upgrade. The corporation is interested in reliable economic growth, and the network is typically the mechanism by which
business is performedit rarely is the business itself. Consider this in a different perspective. Corporation X makes hockey sticks. It doesnt matter
whether the network is using EIGRP on FastEthernet with HSRP (Hot
Standby Router Protocol). It does matter whether the network operates during the two shifts that manufacture the product and during the end-of-month
financial reports. Upgrading to ATM may sound desirable, but if the network is stable on Ethernet and isnt growing, upgrading is unlikely to garner
a return on investment.
In the same context, the designer should focus on the specific problem at
hand and work to resolve it within any existing constraints. With new
designs, it becomes more important to anticipate potential problems, which
is the mark of an excellent designer. Cisco categorizes network problems
into three specific areas: media, protocols, and transport. While these
parameters may be oversimplified, they should help novice designers identify and resolve the issues that will confront them.
Media The media category relates to problems with available bandwidth. Typically, this refers to too high a demand on the network as
opposed to a problem with the media itself. Designers would likely use
switches and segmentation to address this category of problem, although
links of greater bandwidth would also be practical.
Protocols Protocol issues include scalability problems. Many of the
chapters in this text will discuss the problems with certain protocols due
to their use of broadcasts. This usage may lead to congestion and performance problems, which would not be resolved with media modifications
per se. Protocol issues are typically resolved with migrations to the Internet Protocol (IP), although some tuning within the original protocol can
provide relief as well. IP is suggested primarily because of current trends
in the market and advances that have increased its scalability.
Transport Transport problems typically involve the introduction of
voice and video services in the network. These services require more consistent latency than traditional data services. As a result, transport problems are typically resolved with recent Ethernet QoS (quality of service)
enhancements or ATM switches. Transport issues may seem similar to
media problems, but there is a difference. The transport category incorporates new time-sensitive services, whereas the media category is targeted more toward increased demand.
www.sybex.com
57
LAN Technologies
In modern network design, there are five common technologies, as enumerated below. Each provides unique benefits and shortcomings in terms of scalability and cost. However, many corporations also consider user familiarity
and supportability along with these factors.
Ethernet Includes FastEthernet, GigabitEthernet, and enhancements
still under development to increase theoretical bandwidth. Ethernet is the
most frequently deployed networking technology. Many network designs
have included switched-to-the-desktop Ethernet, which increases available bandwidth without requiring a change at the workstation.
Token Ring Token Ring is a very powerful networking technology that
was frequently deployed in large financial institutions that started with
mainframe systems. However, it never met with the success of Ethernet
primarily because of the expense involved. Token Ring adapters were
always significantly more expensive than Ethernet NICs (network interface cards), and many firms based their decisions on financial considerations. In later years, Ethernet was enhanced to FastEthernet and switching
was added. This overcame many of Token Rings positive attributes and
placed it at a significant disadvantage in terms of performance (16MB
early-release Token Ring versus 100MB full-duplex Ethernet).
FDDI Fiber Distributed Data Interface and its copper equivalent, CDDI,
were very popular for campus backbones and high-speed server connections. Cost has prevented FDDI from migrating to the desktop, and
advances in Ethernet technology have eroded a significant portion of the
FDDI market share.
ATM Asynchronous Transfer Mode was the technology to kill all other
technologies. It is listed here as ATM, as opposed to ATM LANE, discussed below. In this context it is not considered a LAN technology, but
ATM is frequently considered along with ATM LANE in LAN designs.
There is no question that ATM will expand as a powerful tool in wide
area network design and that many companies will first accomplish the
integration of voice, video, and data using this technology. However, vendors are beginning to map IP and other transports directly onto fiber
especially using the dense wavelength division multiplexing (DWDM) that
has matured in the past few years. This technology may ultimately remove
ATM from the landscape. Note that some large campus installations
use ATM to replace FDDI ringsa design that does not include LANE.
www.sybex.com
58
Chapter 2
Distribution Layer
Workstation
Server
Workstation
www.sybex.com
59
Designers require a number of components in the design and administration of the LAN. These include cabling, routers, and concentrators (hubs or
switches).
Within this text, routers are considered to be the only Layer 3 devices, while
switches operate at Layer 2. This is consistent with the current exam objectives; however, modern switching products now address Layers 3 and 4,
while development is in progress to expand awareness to Layer 5. This will
improve caching and QoS functionality. Some consider these new switches to
be little more than marketing hype, but there is little doubt that increased
knowledge regarding the content of data will augment security and prioritization of flows. This text will not enter the debate of switch versus routerit will
simply define switching as a Layer 2 function and routing as a Layer 3 function. Note that some hierarchical models use Layer 2 switches as the access
layer, with the first router at the distribution layer.
Cabling
Designers often ignore cabling in the network design process, although up to
70 percent of network problems can be attributed to cabling issues. Responsibility for infrastructure is left to facilities staff or other organizations, especially within large corporations. This is certainly not the best methodology
for effective network deployments. The cable plant is the single most important factor in the proper maintenance of the network and, as noted in Chapter 1, the cable plant has the longest life cycle of any network component.
Most LAN infrastructures continue to use copper-based cable for the
desktop and fiber for riser distribution. Placing fiber at the desktop is slowly
becoming popular, and with the introduction of RJ-45-style (MT-RJ) connectors, the space required for these installations is not an issue. Designers
should be familiar with the certified maximum distances that are permitted
for the various media. The specifications incorporated into the physical
media standard for each protocol virtually guarantee successful connectivity.
While such values are more than rules of thumb, they are easy to incorporate
into network designs and insulate the designer from having to understand
the detailed electrical criteria involved in twisted-pair wiring and fiber
optics. Table 2.1 notes the physical media distance limitations.
www.sybex.com
60
Chapter 2
TABLE 2.1
Distance
CDDI (CAT 5)
100 meters
FDDI (MM)
2,000 meters
FDDI (SM)
30,000 meters
2,000 meters
10,000 meters
200 meters
Ethernet (CAT 3 or 5)
100 meters
Ethernet (MM)
2,000 meters
FastEthernet (CAT 5)
100 meters
2,000 meters
400 meters
10,000 meters
www.sybex.com
61
companies require a home run from the panel to the station. This type of
installation uses a single, continuous wire. In contrast, other organizations
install riser cable that terminates to a frame in the closet. These terminations
cross-connect to the stations. This type of installation is often cheaper and
permits additional flexibility. In either configuration, punch-down work and
other maintenance should occur at a single point whenever possible. It is also
extremely important to document what is installed.
www.sybex.com
62
Chapter 2
Routers
Routers are perhaps the most significant tool in the network designers repertoire of dealing with broadcasts in the enterprise. As noted in Chapter 1,
it would be ideal to reduce the number of broadcasts in the network at the
source, but this is not an option under most circumstances.
Unlike Layer 2 devices, routers block broadcasts from leaving the network segment. In other words, routers define the broadcast domain. This is
an important consideration, as few protocols will scale beyond 200 nodes
per broadcast domainthus, routers are usually needed in inefficient multiprotocol networks of over 200 nodes.
There are other benefits to routers as well. Routers convert between different mediafor example, FDDI and Ethernet. The Catalyst switch (along
with most other multiprotocol switches on the market) will also perform this
function, but many designers still consider the use of a router to be superior
when performing a media conversion. Routers also impose a logical structure on the network, which is frequently necessary when designing large
environments. Lastly, routers are very useful for implementing policies
regarding access. Access control lists (ACLs) may be used to block access to
certain devices in the network or to filter informational packets regarding
services (an IPX SAP access list, for example).
www.sybex.com
63
www.sybex.com
64
Chapter 2
One of the keys to obtaining performance from a switch is the proper design
of the network. Resources, or those devices that service many users, should
be provided with the fastest ports available on the switch. Stated another way,
it would be poor design to put a file server on a 10MB interface servicing
100MB workstations. The greatest bandwidth should always be allocated to
servers and trunk links.
Technically, switches are defined within Layer 2 of the OSI model, and
Cisco continues to use this definition. However, as noted in the previous section, modern switches are greatly expanding upon the definition of their
original role. For the purposes of this discussion, switches forward frames
based only on the MAC layer address.
Switches are also responsible for maintaining VLAN information and
may isolate ports based on the end-station MAC address, its Layer 3 address
(although forwarding decisions are still based at Layer 2), or the physical
port itself.
Most switches operate in one of two forwarding modes. Cut-through
switches forward frames as soon as the destination address is seen. No CRC
(cyclical redundancy check) is performed, and latency is consistent regardless of frame size. This configuration can permit the forwarding of corrupted
frames. The second forwarding mode is called store-and-forward. The entire
frame is read into memory, and the CRC is performed before the switch forwards the frame. This prevents corrupted frames from being forwarded, but
latency is variable and greater than with cut-through switching.
Although switches are defined in the main text, designers should consider the
real-world state of the technology. Layer 3 switching routers are capable of
handling basic LAN-based Layer 3 functions, including routing and media
conversion. Newer switching products are adding Layers 4 and 5 to their forwarding and processing lookups. This high-speed LAN-optimized routing
technology is particularly important when considering load-balancing and
queuing, because additional information regarding the packet flow can
greatly increase the efficiency of the overall network capacity.
www.sybex.com
65
Nodes
Network design can be a precise exercise in which the designer knows
exactly how much data will be sent across the network and when these transmissions will occur. Unfortunately, such accuracy would be short-lived and
extremely time-consuming to obtain. General guidelines are actually just a
means of simplifying the technical process while maintaining sufficient accuracy.
www.sybex.com
66
Chapter 2
A number of factors combine to determine the number of nodes per network. For example, 10-Base-2 will support only 30 nodes according to the
specification, but most installations surpass this threshold. Ignoring this limitation, most network designers today are concerned with Ethernets, broadcasts, and cable distances.
The 10-Base-T specification permits 1024 nodes per collision domain and
has a variety of rules, such as the 5-4-3-2-1 rule that governs node placement
and installation. However, broadcast traffic and protocol selection greatly
erode those guidelines. Table 2.2 notes the recommended maximum number
of nodes per broadcast domain for the various common protocols on Ethernet technologies. Other physical media may not support the number of
nodes reflected in the table.
TABLE 2.2
Number of Nodes
AppleTalk
200 or less
NetBIOS
200 or less
IPX
500
IP (well designed)
1000
www.sybex.com
67
The 5-4-3-2-1 rule was used in the design of 10MB Ethernet networks with
repeaters. It is not applicable with switches and faster Ethernet installations.
The rule stated that Ethernet networks could have the following: five segments, four repeaters, three populated, two unpopulated, and one network.
This rule was a guide to prevent collisions and contention problems that
would pass through repeaters.
www.sybex.com
68
Chapter 2
FIGURE 2.2
VLAN 1 Red
VLAN 2 Blue
Router
VLAN 3 Green
VLAN 4 White
VLAN 5 Yellow
As the diagram shows, the designer must connect each VLAN to a separate router interface. Thus, for this five-VLAN model, the designer would
need to purchase and connect five different links.
Figure 2.3 displays a trunked installation, which provides a single,
100MB Ethernet interface for all five VLANs. This design is commonly
referred to as the router on a stick design. Were the non-trunked VLANs
connected with 10MB interfaces, this design would clearly provide as much
theoretical bandwidth.
FIGURE 2.3
VLAN 1 Red
VLAN 2 Blue
Router
VLAN 3 Green
VLAN 4 White
VLAN 5 Yellow
www.sybex.com
69
However, many administrators and designers would fret about taking five
100MB interfaces and reducing them to a single 100MB trunk. While their
concern is clearly justified, each installation is different. Fortunately, there is
a compromise solution that can provide ample bandwidth and retain some
of the benefits found in trunking.
Cisco has introduced EtherChannel technologies into the switch and
router platforms. This configuration disables the spanning tree and binds up
to four links to provide four times the bandwidth to the trunk. This solution
works well in practice for a number of reasons, including:
It is rare for all VLANs to require bandwidth concurrently in production networks. This fact allows for substantial oversubscription of the
trunk without providing underutilized bandwidth.
ISL
The Inter-Switch Link (ISL) protocol adds a 30-byte encapsulation header to
each frame. This encapsulation tags the frame as belonging to a specific
VLAN. ISL is proprietary to Cisco, and while other vendors (including Intel)
have licensed the technology, it is slowly losing market share to the ratified
IEEE 802.1q standard. ISL provides a great deal of information in its headers, including a second CRC in the encapsulation. ISL trunks can be
www.sybex.com
70
Chapter 2
deployed between routers and switches, switches and switches, and servers
and switches or routers.
It is likely that Cisco will migrate away from the ISL protocol in favor of 802.1q.
Designers should consider this factor when evaluating the protocol. Such a
migration, should it occur, will likely take many years to come to fruition.
802.1q
The IEEE 802.1q standard provides a low-overhead method for tagging
frames. Since it is an open standard, most designers select 802.1q when using
non-Cisco equipment or to avoid committing to a single vendor. The 802.1q
specification adds four octets of header to each frame. This header identifies
the frames VLAN membership, but it does not include a CRC checksum for
validation of the header. This is not a significant issue in most reliable networks. The reduced header, compared to ISL, and lack of CRC greatly
diminishes the overhead associated with this trunking technology.
Both ISL and 802.1q may cause incorrectly configured network devices to
report giants (oversized frames). These giant frames are beyond the specified number of octets, as per the Ethernet standard. It is important to understand that both the ISL and 802.1q specifications increase the maximum
number of bytes allowedin contrast to traditional Ethernet.
802.10
FDDI may be used as a trunking medium in VLAN networks by incorporating the 802.10 protocol, which was originally developed to provide Layer 2
security. However, the use of the Security Association Identifier, or SAID,
permits assignment of a VLAN ID. SAID provides for 4.29 billion VLANs.
The 802.10 encapsulation consists of a MAC header followed by a clear
header. The clear header is not encrypted and consists of the 802.10 LSAP,
or Link State Access Protocol (LSAPs are defined by the IEEE and occupy the
LLC portion of the frame, comprising the destination service access point,
source service access point, and control byte), the SAID, and an optional
Management Defined Field, or MDF. The standard provides for a protected
www.sybex.com
71
header to follow the MDF, with data and a checksum, referred to as the
Integrity Check Value, or ICV. In VLAN trunking, only the IEEE 802.10
LSAP and the SAID value are used before the data block.
To configure 802.10, the administrator must define the relationship
between the FDDI VLAN and the Ethernet VLAN. The first VLAN, or
default VLAN, is defined automatically.
It is important to note that 802.10 VLAN packets are valid MAC frames
and may cross non-802.10 devices within the network. Also, VLAN IDs and
SAID values are independent of each otherexcept when related in the
switch table.
LANE
LAN Emulation (LANE) will be described in greater detail later in this chapter. For the moment, note that LANE is also used as a trunking technology.
LANE is often introduced as the first-phase migration step to ATM in the
network.
Possible Solutions
Excessive broadcasts
www.sybex.com
72
Chapter 2
TABLE 2.3
Possible Solutions
Protocol issues
Addressing issues
Given the logical structuring role of the address, addressing issues must include the involvement of a routing device.
www.sybex.com
Physical Topologies
73
One of the best ways to avoid this situation is to generate reports that a lay
person can understand. A number of products are availablemy favorite is
Concord Network Health, although there are others, including Ciscos
RMON tools. The designer can post the resulting reports on a Web site so
that users can see the status of the network whenever they wish.
A fear that non-network designers will start to second-guess every issue in
the reports is natural, and it will happen from some people. However, the
reports can also provide the needed visibility to upper management to justify funding and resources. Most networks hide the problems, so they never
get fixed. If you need to be convinced that disclosure is a positive step, take
a look at Ciscos Web site, www.cisco.com. The vast majority of bugs in
Ciscos software are documented and disclosed publicly. Granted, such
problems can be embarrassing to the company, but the result over the past
few years has been an incredible increase in market share and a vast
improvement in the overall product line. Improved service should be the
goal of every IT department.
Physical Topologies
www.sybex.com
74
Chapter 2
The distribution room is typically in the basement or on the first floor of the
building, although the designer should consider the risk of flooding and
other disasters before allocating facilities. Usually, the room will need to
align with the wiring closets on the other floors.
www.sybex.com
Physical Topologies
FIGURE 2.4
75
Third Floor
Second Floor
First Floor
Basement
Server Farm
FDDI Ring
FIGURE 2.5
Third Floor
Token Ring
Second Floor
Token Ring
First Floor
Token Ring
Token Ring
Server Farm
Token Ring
www.sybex.com
Basement
76
Chapter 2
Third Floor
Second Floor
First Floor
Basement
Server Farm
www.sybex.com
Physical Topologies
77
Please note that this section is beyond the scope of the exam, but it is likely
that Cisco will include this material in future exam revisions. A practical
application of this material necessitates its inclusion here.
Consider the design illustrated in Figure 2.7. A complete loop has been
created at Layer 2, but spanning tree is configured to block a port on the
access-layer switch. Routers are not displayed in order to emphasize the
Layer 2 facets of this installation.
FIGURE 2.7
Blocked
Consider the change to the network that is illustrated in Figure 2.8. The
link between the two distribution layer switches has been removed for the
VLAN that services the access layer. HSRP has also been deployed. While
this design is shown in Figure 2.8 with external routers, the connections
could also be provided by a route module in the switch.
www.sybex.com
78
Chapter 2
FIGURE 2.8
HSRP Primary
HSRP Secondary
Figure 2.8 shows the use of external routers, which may lead to a split subnet
or black hole problem, as discussed in Chapter 13. This design works best
when using RSM or internal Layer 3 logic in the switch, as the link failure from
the distribution switch to the access switch will down the router interface, preventing this problem.
In making this change, the designer has eliminated the slower spanningtree process and potentially eliminated the need for BPDUs (Bridge Protocol
Data Units) altogetheralthough there is still a risk of the users creating
bridging loops. The design is redundant and quite scalable. In addition, with
routers and switches working together in multilayer switching configurations, the latency often associated with routers is reduced as well. A typical
www.sybex.com
Physical Topologies
79
installation using this design model would place a single transit VLAN
between the switches. Such a design would still avoid a Layer 2 loop while
maintaining a through switch connection. Designers should consider the
expected network behavior during both normal and failed scenarios when
architecting any configuration.
Designers should not disable the Spanning-Tree Protocol unless they can
ensure a loop-free topology.
www.sybex.com
80
Chapter 2
www.sybex.com
Physical Topologies
81
www.sybex.com
82
Chapter 2
ports. To the ATM network, it appears that the single ATM LEC is requesting datain actuality, the LEC is simply a proxy for the individual requests
from the legacy nodes.
Given the interdependency of the LES and BUS services, most references use
the term LES/BUS pair to denote the server providing these services.
Ciscos implementation of LANE places the BUS on the same device as the
LES. This design will likely change in the future, since it is inconsistent with
other vendors offerings.
www.sybex.com
Physical Topologies
83
The CLSC Study Guide from Sybex provides more detail regarding ATM
LANE and the Catalyst 5500 platform, including the LS1010.
www.sybex.com
84
Chapter 2
FIGURE 2.9
www.sybex.com
Physical Topologies
85
www.sybex.com
86
Chapter 2
Summary
This chapter discussed many of the tools and technologies used in the
local area network to address problems typically faced by network designers.
Newer technologies, such as ATM LANE, were covered, in addition to more
traditional tools and technologies, including Ethernet routers and switches.
Specific attention was given to:
LAN technologies
Ethernet
Token Ring
FDDI
ATM
ATM LANE
Interconnectivity tools
Repeaters
Hubs
Switches
Routers
Problem categories
Media
Transport
Protocols
Trunking protocols
ISL
802.1q
802.10
LANE
www.sybex.com
Summary
87
www.sybex.com
88
Chapter 2
Review Questions
1. Broadcasts are controlled by which of the following devices?
A. Bridges
B. Repeaters
C. Routers
D. Switches
2. Routers perform which of the following functions?
A. Access control
B. Logical structure
C. Media conversions
D. None of the above
3. Which of the following devices operate at Layer 2 of the OSI model?
A. Routers
B. Gateways
C. Switches
D. Bridges
4. Which of the following is true regarding cut-through switching?
A. The frame is forwarded following verification of the CRC.
B. The frame is forwarded following verification of the HEC.
C. The frame is forwarded upon receipt of the header destination
address.
D. The frame is forwarded out every port on the switch.
www.sybex.com
Review Questions
89
address.
D. The frame is forwarded out every port on the switch.
6. Negating overhead and conversions, the designer chooses to replace
the legacy FDDI ring with an ATM switch attached via OC-3. Assuming a backbone of 10 devices, no overhead, and equal distributions,
the increase in available bandwidth per device is:
A. 55Mbps
B. 100Mbps
C. 145Mbps
D. 1Gbps
E. 1.54Gbps
7. An Ethernet switch:
A. Defines the collision domain
B. Defines the broadcast domain
C. Defines both the broadcast and collision domains
D. Sends all broadcasts to the BUS (broadcast and unknown server)
8. Which of the following would be a reason to not span a VLAN
would have to traverse the WAN, which typically uses slow links.
B. Reduced costs, since fewer router interfaces are required.
C. Easier addressing during moves.
D. Non-routed workgroup traffic across geographically removed
locations.
www.sybex.com
90
Chapter 2
routes
11. Which of the following reasons might influence a designer to use a
www.sybex.com
Review Questions
91
the IP network?
A. Implementation of VLSM
B. Implementation of HSRP
C. Implementation of EIGRP
D. Implementation of OSPF
14. A distributed backbone typically:
A. Contains a single router in the data center
B. Is completely flat within the building or campus
C. Contains multiple routers, typically with one per floor or area
D. Requires the use of ATM LANE, version 2.0
15. ATM uses:
A. 53-byte cells
B. 53-byte frames
C. Variable-length cells
D. Variable-length frames
16. Which of the following is optional in ATM LANE?
A. LEC
B. LES
C. BUS
D. LECS
www.sybex.com
92
Chapter 2
Layer 3.
B. Media issues involve voice and video, while transport issues are
www.sybex.com
93
While not covered until Chapter 4, readdressing for OSPF and EIGRP
is common, making C and D correct as well.
14. C.
15. A.
16. D.
17. D.
18. B, C, D.
www.sybex.com
94
Chapter 2
19. C.
20. D.
www.sybex.com
Chapter
www.sybex.com
Address assignments
Subnet masks
Address summarization
www.sybex.com
97
not certification) that the subnet mask defines the bits in the IP address
that are to be used for defining the subnet and host ranges. A binary 1 in
the subnet mask defines the network portion of the address, while a
binary 0 defines the host portion. Routing is based on the network portion of the address.
If concepts such as subnet masks and IP addresses are unfamiliar, you may
wish to obtain and study the Sybex CCNA Study Guide.
www.sybex.com
98
Chapter 3
IP Addresses
www.sybex.com
IP Addresses
99
RFC 760, the original IP specification, did not refer to classes. RFC 791 incorporated the term classful addressing.
As reflected in Table 3.1, there are five IP address classes. The high-order
bits in the first octet determine this arrangementthus, any address with the
first bits equal to 10 in the first octet belong to Class B. The bit value is significant in determining the major class of the network. Note that the highorder bits in Table 3.1 reflect the binary representation of the numberfor
example, 00000001 in binary equals 1 in decimal. Without changing the first
bit from a 0 to a 1, the highest number that can be represented is 127; however, this is reserved and not part of the Class A space, shown in the first column. The decimal range of the numbers available with the shown high-order
bits is presented in the third column.
TABLE 3.1
IP Address Classes
Class
High-Order Bits
1-126
10
128-191
110
192-223
1110
224-239
1111
240-254
www.sybex.com
100
Chapter 3
IP Network Classes
The IP protocol, version 4, was designed around the concept of network
classes in order to provide a natural boundary that all routers could use. This
was slightly better than the flatter area-code model used by the telephone
company, wherein each area may contain only 10 million numbers and each
sub-area is limited to 10 thousand numbers.
Examples using phone numbers are based on the North American numbering
plan. Countries based on other numbering plans typically share the characteristics of this model but may not provide the same number of available
addresses.
The early designers of the Internet realized that some sites may need thousands of subnets, or prefix (sub) areas. Others, they reasoned, might need
only one or two. This strategy evolved into the five address classes noted in
Table 3.1, which have the following characteristics.
Class A Addresses
Class A addresses contain a 0 in the first bit of the first octet. These IP
addresses are presented as 0-126 in the first octet. Designers like Class A address
blocks because they allow the most flexibility and largest range of
addresses, particularly when classful routing protocols are in use. However, assignments in Class A also waste a huge number of addresses
addresses that go unused. This single factor has led to the development of
IP v6 and other techniques to extend the life of IP v4, including CIDR
(Classless Internet Domain Routing), RFC 1918 addresses, and network
address translation (NAT).
The network address 127.0.0.0 is reserved for the loopback function. This feature is used for diagnostic purposes and typically encompasses the single
address of 127.0.0.1. However, any address in the range is reserved for the
function.
www.sybex.com
IP Addresses
101
Class B Addresses
Class B addresses contain a 1 in the first bit of the first octet and a 0 in the second
bit of the first octet. These IP addresses are presented as 128-191 in the first
octet. The benefit to Class B addresses becomes clear in larger organizations.
These addresses provide a broad block of addresses for the organization while
attempting to reduce the waste caused by Class A block sizesfew organizations need the volume of addresses provided by Class A blocks.
Class C Addresses
Class C addresses contain a 1 and a 1 in the first two bits of the first octet and
a 0 in the third bit of the first octet and range from 192 to 223 in decimal notation. Up to 254 hosts may be assigned within the class, assuming that the entire
subnet is equal to the major network. Under the current addressing allocations, Class C address blocks are easier to obtain than Class A or B allocations
but are very limited for most organizations. Therefore, companies generally
receive a block of contiguous Class C blocks, which are summarized as a
supernet. This is also referred to as CIDR.
Class D Addresses
Class D addresses are reserved for IP multicast. Additional information
regarding multicast is presented in Chapter 13.
Class E Addresses
Class E is reserved for future use and is currently undefined.
Subnetting in IP
The idea of subnetting in IP is perhaps the concept most misunderstood by
new administrators and designers. Unlike AppleTalk and IPX, IP addresses
are assigned at both the network and host levels. In AppleTalk and IPX, the
administrator or designer need only assign the network-level address. An
interesting twist on these protocol characteristics is that the control that IP
offers designers can also be a hindrance in that more must be manually configured. This manual process requires decisions and sets limitations that are
not present in AppleTalk or IPX.
As will be described in Chapter 6, IPX addresses are a combination of the
MAC (Media Access Control) layer address (hardware address) and the IPX
network number, which is assigned by the administrator on the router. A virtually unlimited number of hosts may become members of an IPX network.
www.sybex.com
102
Chapter 3
www.sybex.com
IP Addresses
103
Subnet Mask
Number of
Subnets
Number of Hosts
Per Subnet
18
255.255.192.0
16,382
19
255.255.224.0
8,190
20
255.255.240.0
14
4,094
21
255.255.248.0
30
2,046
22
255.255.252.0
62
1,022
23
255.255.254.0
126
510
24
255.255.255.0
254
254
25
255.255.255.128
510
126
26
255.255.255.192
1,022
62
27
255.255.255.224
2,046
30
28
255.255.255.240
4,094
14
29
255.255.255.248
8,190
30
255.255.255.252
16,382
www.sybex.com
104
Chapter 3
Address Assignments
www.sybex.com
105
www.sybex.com
106
Chapter 3
Hierarchical addressing
Call uses area code to determine
intra-area status, then uses
prefix and host number
to reach destination.
408
408-555
408-556
408-555-6789
408-556-1234
415
707
415-555
707-555
707-555-3456
www.sybex.com
107
Use legal, public addresses assigned to the Internet Service Provider (ISP).
Available Allocation
10.0.0.0
1 Class A network
16 Class B networks
www.sybex.com
108
Chapter 3
This presentation will focus on IP v4. Designers should consider IP v6, a newer
addressing scheme that uses 128 bits.
Public Addresses
Differing from the private addresses, public addresses are assigned and
unique throughout the Internet. Unfortunately, under IP v4 and the methods
used to assign addresses, there is a shortage of address space, especially in the
larger network allocationsClasses A and B.
There should be little surprise that the advantages of RFC 1918 addresses
are the disadvantages of public addresses, given the binary nature of selecting public or private address space. The corollary is also true.
The most significant negative of private addresses is that they are private.
Anyone in any company can select any of them to use as they see fit. Some
would argue that the benefits of returning IP addresses to the public pool to
address the negatives are worth the complexities, including address translation and proxying Internet connections. However, consider the impact when
two corporations not using RFC 1918 addresses merge in the context of the
following:
www.sybex.com
109
Designers are assured that their addresses are unique. This may
become an issue following the merger of two companies that selected
addresses under RFC 1918.
When corporations merge, they ultimately will merge data centers and
resources to reduce operating costs. This will typically require readdressing
for at least one of the two merged organizations if there is overlap. In addition, it is atypical for two design teams to allocate addresses exactly the same
way. For example, architect one may place routers at the top of the address
range, while architect two may prefer the bottom. Both ways are valid, but
upon integration this minor difference may cause problems for support staffs
and administrators.
he router is designed to isolate the broadcast domain and divide networks on logical boundariesa function of the OSI models Layer 3. This
differs from switches and bridges, which operate at Layer 2, and repeaters
and hubs, which operate at Layer 1.
Todays routers provide many additional features for the network architect, including security, encryption, and service quality. However, the role of
the router remains unchangedto forward packets based on logical
addresses. In network design, this is considered routing.
Routing
The router provides two different functions in the network beyond the simple isolation of the broadcast domain. First, the router is responsible for
determining paths for packets to traverse. This function is addressed by the
routing protocol in use and is considered overhead. The dynamic updates
between routers are part of this function.
The second function of the router is packet switching. This is the act of
forwarding a packet based upon the path-determination process. Switching
encompasses the following:
www.sybex.com
110
Chapter 3
While the router may also handle additional services, this list describes the
functional steps required by the forwarding process. In addition to the forwarding of packets based on the Layer 3 logical address, the router is also
required to determine the routes to those destinationsa process that relies
on the administrative distance function described in the next section. However, routing, or more accurately, administration of the router, requires
designers to consider many factors. Addressing, routing protocols, access
lists, encryption, route maps (manipulation of the routing tables), and router
security will only demand more attention in future years. Paths will also
incorporate mobile IP and VPN (Virtual Private Network) technologies as
the concept of an 80/20 rule migrates through 20/80 and toward 2/98. This
means that virtually no traffic will remain local to the subnet, and as a result,
the demands on administrators to work with other service providers will also
increase.
If the router does not have a local interface in the major network and it
receives a routing update with a classful protocol, the router will presume the
natural mask. The natural mask for Class A is 255.0.0.0; for Class B it is
255.255.0.0; and for Class C it is 255.255.255.0. Readers should make sure
that they understand how to identify an address class and what the natural
mask would be before continuing. This subject is covered in greater detail in
the CCNA and ICRC preparation materials.
Administrative Distance
A router performs its function by determining the best method to reach a
destinationa function that relies on the routing table and metrics. Metrics
will be reviewed in greater detail in Chapter 4, but for now the metric of hops
used in the IP RIP protocol will be our basis. You may recall that IP RIP adds
a hop to each route when it passes through a router. Therefore, a source
router can compare two or more routes to the same destination and typically
presumes that the lowest hop count determined by the routing protocol will
www.sybex.com
111
correspond with the best path through the network. Chapter 4 will discuss
the limitations of the hop-based methodology; however, this system works
reasonably well for links of similar bandwidth.
Cisco routers can also differentiate between IP routes based on the administrative distance. By adjusting the administrative distance, the administrator
can implement a routing policy. This policy may be used during migration
from one routing protocol to another or when multiple protocols exist in the
network. Another use of the administrative distance is floating static routes,
which are frequently used to supply a route when the routing protocol or
link fails. Under these conditions, the static route is normally used with a
DDR (dial-on-demand routing) circuit, and the administrator assigns a
higher administrative distance to the static route than would be found with
the dynamic protocols; once the dynamic routing protocols have exhausted
all their routes, or the protocol has failed due to link failure, the highest
administrative distance is the static route. Table 3.4 documents the administrative distances associated with various route sources. Note that by
default a static route will supersede a dynamic routing protocol.
TABLE 3.4
Administrative Distance
Directly connected
Statically defined
BGP
20
BGP external
170
Internal EIGRP
90
External EIGRP
180
IGRP
100
OSPF
110
www.sybex.com
112
Chapter 3
TABLE 3.4
Administrative Distance
RIP
120
Floating Static
The administrative distance is set with the distance command. The highest value is 255, and it is placed on each interface.
The router will select routes based on their administrative distance before
considering the routing metric. This is an important consideration in both
design and troubleshooting as the router may not act as expectedin actuality, it is doing exactly what it was told. This issue is particularly common
in route redistribution. Designers employ route redistribution when a routing protocols information must be propagated via another routing protocol.
For example, the designer would use redistribution to transfer RIP routes
into OSPF (Open Shortest Path First).
www.sybex.com
113
Routing protocols also incorporate characteristics that may require additional consideration. For example, connections likely fit into one of the following three types:
Host-to-router
Router-to-router
Host connections may obtain router information using a number of methods. These methods include:
Use of the ICMP (Internet Control Message Protocol) Router Discovery Protocol (IRDP).
The previous items in concert with Ciscos Hot Standby Router Protocol (HSRP).
www.sybex.com
114
Chapter 3
Mask
Device
10.12.24.48
/32
Host
10.12.24.0
/24
Subnet
10.0.0.0
/8
Network
0.0.0.0
/0
Default
Based on this example, it would be fair to say that the router has four
routes to the host. And clearly, the best route is the most specific host
route. However, as noted before, it is impractical for every router to maintain information regarding each host in the network. Referring to the areacode model, it would be just as valid for a remote router to maintain the
subnet or network routesthe path, or next hop, remains the same. Taken
to the extreme, networks at the far end of a hub-and-spoke design, shown
in Figure 3.2, can provide connectivity with a single route. The default
route is used when no other routes match the packet. Since Router A in Figure 3.2 sees everything except 192.168.2.0 as being outside the serial interface, it is easy for the designer to omit all other routes from this router and,
in essence, fully summarize the routing table.
www.sybex.com
Discontiguous Subnets
FIGURE 3.2
115
192.168.2.0
Rest of World
Discontiguous Subnets
Discontiguous subnets
10.0.0.0
192.168.10.0
10.0.0.0
www.sybex.com
116
Chapter 3
effect, makes the two networks contiguous. A better solution is to use a classless
routing protocol that can summarize and accurately maintain information
regarding the two halves of the network. This also avails VLSM and other features to the network and typically simplifies administration.
Discontiguous networks can be addressed with static mappings and other
techniques; however, this can lead to black holes. This concept is presented
in Chapter 13; briefly however, a black hole may leave a network unreachable under various failure scenarios.
Address Summarization
192.168.4.0
192.168.5.0
192.168.6.0
192.168.7.0
www.sybex.com
Address Summarization
117
Binary Representation
192.168.4.0
11000000.10101000.00000100.00000000
192.168.5.0
11000000.10101000.00000101.00000000
192.168.6.0
11000000.10101000.00000110.00000000
192.168.7.0
11000000.10101000.00000111.00000000
Notice how the only variance in the addresses is limited to two bits, offset in bold? In order for the router to understand the range of addresses
that is important, the administrator need only define the base address
192.168.4.0and the number of bits that are significant22. The 23rd
and 24th bits dont matter, as whatever they equal still meets the range.
As a result of summarization, the network may be referenced as
192.168.4.0/22, or 255.255.252.0the 23rd and 24th bits are moot. This
summarization may be used in access lists (defined with a wildcard mask) or
routing entries, although administrators should take care when using summarization and non-subnet-aware routing protocols. This topic will be discussed in detail in Chapter 4.
Summarization can be accomplished because the range of addresses meets
two very important criteria. These are:
The significant byte, which in this example is the third octet, is a multiple of the number of subnets in the range. Again, this number is four.
www.sybex.com
118
Chapter 3
Load Balancing in IP
Process Switching
Process switching is the slowest and most processor-intensive of the routing
types. When a packet arrives on an interface to be forwarded, it is copied to
the routers process buffer, and the router performs a lookup on the Layer 3
address. Using the route table, an exit interface is associated with the destination address. The processor encapsulates and forwards the packet with the
new information to the exit interface. Subsequent packets bound for the
same destination address follow the same path as the first packet.
The repeated lookups performed by the routers processor and the processors relatively slow performance eventually create a bottleneck and
greatly reduce the capacity of the router. This becomes even more significant
as the bandwidth and number of interfaces increase and as the routing protocols demand more processor resources.
www.sybex.com
Load Balancing in IP
119
Fast Switching
Fast switching is an improvement over process switching. The first packet of
a new session is copied to the interface processor buffer. The packet is then
copied to the CxBus (or other backplane technology as appropriate to the
platform) and sent to the switch processor. A check is made against other
switching caches (for example, silicon or autonomous) for an existing entry.
Fast switching is then used because no entries exist within the more efficient caches. The packet header is copied and sent to the route processor,
where the fast-switching cache resides. Assuming that an entry exists in the
cache, the packet is encapsulated for fast switching and sent back to the
switch processor. Then the packet is copied to the buffer on the outgoing
interface processor, and ultimately it is sent out the destination interface.
Fast switching is on by default for lower-end routers like the 4000/2500
series and may be used on higher-end routers as well. It is important to note
that diagnostic processes sometimes require reverting to process switching.
Fast-switched packets will not traverse the route processor, which provides
the method by which packets are displayed during debugging. Fast switching
may also be inappropriate when bringing traffic from high-speed interfaces
to slower onesthis is one area where designers must understand not only
the bandwidth potential of their links, but also the actual flow of traffic.
Fast switching guarantees that packets will be processed within 16 processor cycles. Unlike process-switched packets, the routers processor will
not be interrupted to facilitate forwarding.
Autonomous Switching
Autonomous switching is comparable to fast switching. When a packet
arrives on the interface processor, it checks the switching cache closest to it
the caches that reside on other processor boards. The packet is encapsulated
for autonomous switching and sent back to the interface processor. The
packet header is not sent to the route processor. Autonomous switching is
available only on AGS+ and Cisco 7000 series routers that have high-speed
controller interface cards.
Silicon Switching
Silicon switching is available only on the Cisco 7000 with an SSP (Silicon Switch
Processor). Silicon-switched packets are compared to the silicon-switching cache
www.sybex.com
120
Chapter 3
on the SSE (Silicon Switching Engine). The SSP is a dedicated switch processor
that offloads the switching process from the route processor, providing a fastswitching solution. Designers should note that packets must still traverse the
backplane of the router to get to the SSP, and then return to the exit interface.
NetFlow switching (defined below) and multilayer switching are more efficient
than silicon switching.
Optimum Switching
Optimum switching follows the same procedure as the other switching
algorithms. When a new packet enters the interface, it is compared to the
optimum-switching cache, rewritten, and sent to the chosen exit interface.
Other packets associated with the same session then follow the same path.
All processing is carried out on the interface processor, including the CRC
(cyclical redundancy check). Optimum switching is faster than both fast
switching and NetFlow switching, unless you have implemented several
access lists.
Optimum switching replaces fast switching on high-end routers. As with
fast switching, optimum switching must be turned off in order to view packets while troubleshooting a network problem. Optimum switching is the
default on 7200 and 7500 routers.
Distributed Switching
Distributed switching occurs on the VIP (Versatile Interface Processor)
cards, which have a switching processor onboard, so its very efficient. All
required processing is done right on the VIP processor, which maintains a
copy of the routers routing cache. With this arrangement, even the first
packet neednt be sent to the route processor to initialize the switching path,
as it must with the other switching algorithms. Router efficiency increases as
more VIP cards are added.
It is important to note that access lists cannot be accommodated with distributed switching.
NetFlow Switching
NetFlow switching is both an administrative tool and a performanceenhancement tool that provides support for access lists while increasing the
volume of packets that can be forwarded per second. It collects detailed data
www.sybex.com
Load Balancing in IP
121
www.sybex.com
122
Chapter 3
also more efficient than both the fast- and optimum-switching defaults. CEF
is wonderfully stable in large environments because it doesnt rely on cached
information. Instead of using a CEF cache, it refers to the Forwarding Information Base (FIB), which consists of information duplicated from the IP
route table. Every time the routing information changes, the changes are
propagated to the FIB. Thus, instead of comparing old cache information, a
packet looks to the FIB for its forwarding information.
CEF stores the Layer 2 MAC addresses of connected routers (or next-hop)
in the adjacency table. Even though CEF features advanced capabilities, you
should consider several restrictions before implementing CEF on a router.
According to the document Cisco Express Forwarding, available from the
Cisco Web page Cisco Connection Online, system requirements are quite
high. The processor should have at least 128MB of RAM, and the line cards
should have 32MB each. CEF takes the place of VIP distributed- and fastswitching on VIP interfaces. The following features arent supported by CEF:
ATM DXI
Token Ring
Multipoint PPP
Policy routing
NAT
SMDS
www.sybex.com
Summary
123
CEF was designed for large networksif reliable and redundant switching paths are necessary, CEF is certainly preferred. However, there are significant hardware requirements, and some Cisco IOS features may not be
available.
Cisco routers may support concurrent load balancing when routing IP.
However, this feature is dependent on the switching mechanism in use. Up
to six paths may be balanced in the current releases of the IOS, dependent on
the routing protocol in use.
Autonomous and silicon switching have been updated with optimum, distributed, and NetFlow. However, from a load-balancing perspective, they operate
in the same manner as their replacements. Autonomous and silicon-switched
packets will be load-balanced by destination.
Summary
IP address structures
IP address classes
IP address summarization
www.sybex.com
124
Chapter 3
Designers should also be prepared to integrate this material into the following chapter, which details the IP routing protocols, and subsequent ones,
which address non-IP-based protocols and the issues that confront designers
in typical networks.
www.sybex.com
Review Questions
125
Review Questions
1. Which of the following are methods used to assign IP addresses?
A. Manual configuration
B. WINS
C. DHCP
D. BootP
E. NFS
2. The designers major issues when designing for IP networks are:
A. Routing
B. Addressing
C. Security
D. Naming
E. All of the above
3. When selecting a routing protocol, the designer would NOT consider
www.sybex.com
126
Chapter 3
must be:
A. Classful
B. Classless
C. Dynamic
D. Enhanced
7. A classful routing protocol will:
A. Not support VLSM
B. Route on the first octet bits and their significance
C. Not include subnet information in routing updates
D. All of the above
E. None of the above
www.sybex.com
Review Questions
127
following?
A. 255.0.0.0
B. 255.255.0.0
C. 255.255.255.0
D. Cannot be determined with the information provided
10. A routing update using a classful routing protocol (assuming no net-
www.sybex.com
128
Chapter 3
IGRP, is:
A. All interfaces must be of the same type.
B. All interfaces must use the same network mask.
C. All interfaces must use the natural mask.
D. All interfaces must be within the same subnet.
www.sybex.com
Review Questions
129
another organization
B. To obtain Class C address space
C. To simplify NAT processes
D. None of the above
19. Each Class C network could support:
A. Two hosts
B. 16 hosts
C. 64 hosts
D. 254 hosts
20. Which of the following routes would the router most likely use?
A. A route to the subnet
B. A route to the host
C. A route to the network
D. A default route
www.sybex.com
130
Chapter 3
www.sybex.com
Chapter
www.sybex.com
IP Routing Protocols
n the previous chapter, the Internet Protocol (IP) and the criteria for
designing networks using IP were addressed. This chapter will build upon
those concepts by adding the dynamic IP routing protocols including RIP,
RIP version 2, IGRP, EIGRP, OSPF, ODR, BGP, and IS-IS.
Dynamic routing protocols were developed to circumvent the deficits
found in static routing. This chapter will present network design with static
routes, in addition to the IP routing protocols listed in Table 4.1. Please note
that each of these protocols will be presented in greater detail later in this
www.sybex.com
IP Routing Protocols
133
Characteristics
RIP
RIP v2
IGRP
Interior Gateway Routing Protocol (IGRP) is a Cisco proprietary, distance-vector, routing protocol. It uses a
composite metric of 24 bits and offers faster convergence when compared to RIP. However, it does not support VLSM and sends its entire routing table every
90 seconds.
EIGRP
www.sybex.com
134
Chapter 4
TABLE 4.1
Characteristics
OSPF
IS-IS
ODR
On-demand routing (ODR) makes use of data in the proprietary Cisco Discovery Protocol (CDP) function in the
Cisco IOS (Internet Operating System). CDP packets
typically provide diagnostic information only about
other Cisco routers; however, the ODR process can
use this information to develop a routing table. It is a
very limited routing function, but it provides many of
the benefits of static routes without incurring the overhead of a routing protocol.
BGP
The Border Gateway Protocol (BGP) is the de facto protocol of the Internet backbone. Technically a pathvector protocol, the external version (eBGP) is primarily
concerned with the relationships between autonomous systems (AS). One benefit to BGP is its use of
persistent TCP sessions for the exchange of routing
information.
www.sybex.com
IP Routing Protocols
135
Designers should consider the different resources that are needed to implement a routing protocol, including router CPU, router memory, link bandwidth, support staff familiarity, and protocol features, which include
support for VLSM, summarization, and convergence.
Designers should ask themselves the following questions when selecting a
routing protocol:
Some protocols send only the changes to the routing table during
an update. Other protocols send the entire routing table.
The time required to converge all routing tables in the internetwork depends upon many factors. Re-convergence occurs when a
path that is used suddenly becomes unavailable. Dynamic routing
protocols make every effort to locate an alternative route to the
destination. Some protocols, like EIGRP, calculate alternative
paths before the failure, which facilitates rapid convergence. Other
protocols require significant amounts of time to distribute information regarding the failure and calculate the alternative path.
Routers also combine various methods for learning routes. These methods should be designed to work together to establish the most efficient routing throughout the network. In addition to the technical considerations,
designers should also consider cost in defining efficiency.
The router may obtain route information from any or all of the following
sources:
Connected interfaces
www.sybex.com
136
Chapter 4
Manipulation of the previous methods via access lists and other filters
Designers should also consider what methods are available to trigger failure updates. Local interfaces can be detected via keepalives, including ATM
OAM (operation, administration, and maintenance) cells, and the carrierdetect lead.
The administrator requires a route that takes effect upon failure of the
dynamic routing process. This is called a floating-static route.
There are a couple of deficits with static routes, however. First, the routes
are staticas the name suggests. This means that failures in the network
topology cannot be detected and circumvented automatically. Second, the
administrator must manually populate the routing table and maintain the
entries whenever a change to the network is made.
Cisco routers automatically support proxy ARP on most interfaces. The
proxy ARP function will spoof off-network resources with the routers MAC
(Media Access Control) address, and the router will take the responsibility of
forwarding packets to the final end node. This behavior permits the establishment of routes based on interfaces as opposed to the IP address. For
example, the route may be through router 192.168.5.1, but the administrator can reference the route as being out interface Ethernet 0/0.
www.sybex.com
137
Because of security, diagnostic, and performance concerns, it is recommended that administrators not use the proxy ARP function and that it be
disabled on all interfaces. While it is possible to find network administrators
with little or no experience with one of the more advanced dynamic routing
protocols, it is very unlikely that an administrator will not have experience
with static routes. This static route experience may be to define a default
route off the network or to define routes in areas where a dynamic routing
protocol would be undesirable, including those in secure arenas and between
companies.
Static routes offer the administrator a high degree of control over the network and consume no bandwidth for routing updates, making them advantageous on limited-bandwidth or low-reliability links. So, given the benefits
of static routesfamiliarity, controllability, and efficiencywhy would a
designer choose to not use static routes?
The answer typically is that designers do use static routes and, in fact, may
use them quite often in the overall network design. However, the scalability
of the network is greatly limited if the entire network is designed using static
routes. This chapter will address the benefits of the dynamic routing protocols later, but for now will define these benefits as load balancing, redundancy, and scalability.
www.sybex.com
138
Chapter 4
www.sybex.com
139
Following a review of the above material, the only viable choices were RIP
v2 and static routes. RIP v2 was considered, but the number of remote configuration steps and the bandwidth consumption issues were sufficient to
put it in second place.
Notice some of the themes used in selecting a routing protocol: link bandwidth, router CPU utilization, router memory, support for VLSM, redundant
paths, load balancing, availability, and support staff familiarity. These will
be important factors in your designs.
RIP v2 builds upon the original RIP specification and adds a number of
features, the most significant of which is the sharing of subnet mask information. Thus, RIP v2 supports VLSM. Figure 4.1 illustrates the packet formats for both RIP and RIP v2. Note that there are many similarities between
the two in order to facilitate interoperability.
www.sybex.com
140
Chapter 4
FIGURE 4.1
Cmd
Version
(1 byte) (1 byte)
Zero
(2 bytes)
Zero
(2 bytes)
Address Family
(2 bytes)
IP equals 2
Zero
(2 bytes)
Zero
(2 bytes)
Address
(4 bytes)
Metric
(4 bytes)
IP RIP version 1
Cmd
Version
(1 byte) (1 byte)
Unused
(2 bytes)
Subnet Mask
(4 bytes)
Address Format
Identifier (2 bytes)
Route Tag
(2 bytes)
Next Hop
(4 bytes)
Address
(4 bytes)
Metric
(4 bytes)
IP RIP version 2
www.sybex.com
FIGURE 4.2
141
4
3
Router B
Router A
Router E
Router D
Router G
Router C
Router F
RIP uses hop count only to determine the path. Using Figure 4.2, determine the path that Router A would use to send packets to Router G. You will
find that the path A-C-F-G, with a hop count of 7, would be used over the
other routes. Note that the hop count values do not surpass 15a hop count
of 16 marks the route as unavailable in RIP.
It is important to note that RIP networks designed with the hierarchical
model would have a maximum default hop count of 6easily within the 15hop limitation. Other designs, especially those that manipulate the hop metric, may exceed this limitation more easily.
Convergence time is an important consideration in selecting a routing
protocol. RIP is one of the slower routing protocols in terms of convergence,
although the hierarchical design model also works to facilitate the fastest
possible convergence.
www.sybex.com
142
Chapter 4
OSPF. In addition, IGRP, and its successor, EIGRP, tolerate arbitrary topologies better than OSPFhowever, designers should strive to follow the hierarchical model in order to improve convergence and troubleshooting.
It is unlikely that a designer would select IGRP for a completely new network design, but it might still be warranted for reasons that will be presented
in this section. It is much more likely that the use of IGRP will be based on
previous deployments of the protocol and the required integration that the
network will demand. A recent Cisco survey found IGRP and EIGRP in over
50 percent of networks.
IGRP is a more advanced protocol than RIP, which it was designed to
replace. It is a distance-vector protocol that uses a 24-bit metric value to
determine the best route, with a maximum of 254 hops (default value of 100
hops). This is greatly enhanced over RIPs 15-hop-based metric. Other benefits include load balancing and path determination, where the protocol can
select from multiple default networks. IGRP is also more tolerant of nonhierarchical topologies; unlike EIGRP, IGRP can support arbitrary topology
configurations. However, both protocols operate better when deployed with
a strong design. It is important to note that complex mesh configurations
will impact convergence in both IGRP and EIGRP, but the redundancy benefits of these designs may offset the negatives.
As with RIP, IGRP transmits the entire routing table with each update,
which by default occurs every 90 seconds (compared to RIP at every 30 seconds). These updates may contain 104 route entries (within a 1,500-byte
packet), which is a clear improvement over IP RIP, which includes only 25
routes. Unfortunately, the entire routing table is sent each time. Of more
importance in advanced networks, IGRP does not support VLSM and is
classful. Finally, IGRP uses the concept of split-horizon to prevent routing
loops. By default this feature is on. However, the architect may disable it to
support point-to-multipoint installations.
Some texts state that split-horizon is disabled automatically with some topologies, such as SMDS. This is incorrect. You should use the show ip interface
command to check the current status of an interface.
Split-horizon is used to prevent routing loops by blocking the advertisement of a route out the interface that it was learned from. Poison reverse is
a variation on this concept that sends the route back to the source, but with
an illegal metric.
www.sybex.com
143
IGRP Metrics
The IGRP metric is one of the most significant advantages for network
designers using the protocol. Unlike RIP, which uses hop count as a single
metric, IGRP uses two important factors, of six possible metrics, to determine routes. These are presented in Table 4.2.
TABLE 4.2
Characteristics
Bandwidth
The bandwidth metric is based on the bandwidth statement on an interface in the routing path. It is used in the
calculation of IGRP routing metrics. The value is cumulative and static. Unless configured with the bandwidth
command, IGRP will presume the default of T1, or
1.544Mbps on standard serial interfaces (default for
Ethernet is 10Mbps).
Delay
Reliability
Calculated from keepalives, the reliability metric (if enabled) is dynamic and represents the reliability of the
path over time. A link with lower reliability would become less desirable. Values range from 0 to 255, with
the default 255 being 100 percent reliable.
Loading
www.sybex.com
144
Chapter 4
TABLE 4.2
Characteristics
MTU
Hops
By default, IGRP considers only two metrics in determining the best route
through the networkbandwidth and delay. Under ideal conditions, IGRP
will weight bandwidth more heavily for shorter routes (routes with fewer
hops) and delay for longer routes. This can provide a more accurate representation of the networks capacity.
Load Balancing
As noted previously, IGRP supports the function of both equal- and
unequal-cost load balancing (if configured), which provides multiple active
routes through the network. This can both aid performance and improve
convergencewhen an alternate route is already in use, it can be used for
additional traffic that was normally destined for the failed link.
Unequal-cost load balancing relies on an IGRP setting called variance to
be set to a value other than the default of 1. The method in which packets are
balanced differs based on the type of switching in use.
www.sybex.com
145
Recall that the router can forward packets based on process switching, in
which each packet is processed by the processor, or fast switching, in which
case forwarding is not reliant on the processor for each datagram. For this
presentation, please consider fast switching to encompass all other forms of
switching, including autonomous and distributed.
In process switching, load balancing is allocated based on the bandwidth
of the link. As shown in Figure 4.3, this would yield one packet on a 64Kbps
circuit to every two packets on a 128Kbps circuit. This also assumes that
variance is configured at 2.
FIGURE 4.3
www.sybex.com
146
Chapter 4
IGRP Convergence
The most significant test of a dynamic routing protocol is observed in its
response to a network failure. Based on the characteristics of the routing protocol, the network may recover (assuming redundant paths) quickly or
slowly. The amount of time required for the network to recover is called
convergence.
IGRP was designed to reduce convergence time, and while it is not as
fast as EIGRP, it can handle most outages in less than the 90-second update
interval. This is made possible by the use of triggered updates.
Triggered updates will occur when the routing protocol is informed of a
link failure. This is instantaneous for Fiber Distributed Data Interface
(FDDI) and Token Ring, or when carrier detect is lost. For other network
interfaces, failure is determined by keepalives, and failure is dependent on
the keepalive timer interval. The following output provides an example
of the keepalive timer as shown in the show interface command:
Router_A#show interface s0
Serial0 is up, line protocol is up
Hardware is MK5025
Description: Circuit
Internet address is 10.1.5.181/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255,
load 2/255
SMDS hardware address is c121.3555.7443
Encapsulation SMDS, loopback not set,
keepalive set (10 sec)
ARP type: SMDS, ARP Timeout 04:00:00
Mode(s): D15 compatibility
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 1w1d
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 1/75, 0 drops
5 minute input rate 41000 bits/sec, 18 packets/sec
5 minute output rate 17000 bits/sec, 17 packets/sec
12401968 packets input, 171211114 bytes, 0 no buffer
www.sybex.com
147
Designers should also note that the holddown timer does not dictate convergence times when load balancing is configured and that routes are flushed
based on the flush timer. The flush timer is seven times the update interval,
or 630 seconds, by default.
www.sybex.com
148
Chapter 4
www.sybex.com
149
If there were a single negative factor with EIGRP, it would have to be its
lack of documentation and use in the real world. This situation is quickly
changing, but many companies have deployed IP EIGRP only to later remove
it because of CPU, memory, and route-flapping issues. Once properly configured and designed, EIGRP quickly redeems itself, given its powerful features. One criterion towards this goal is to avoid using EIGRP in hub-andspoke designs, as these configurations quickly demonstrate the protocols
inability to scale and converge. This presentation of EIGRP will focus solely
on IP EIGRP; it is important to note that EIGRP will support AppleTalk and
IPX routing. However, separate tables are maintained for each of the three
supported protocols, and each protocol uses separate hello messages, timers,
and metrics.
In addition to the separate routing, topology, and neighbor tables maintained on the router for each protocol, EIGRP uses reliable and unreliable
transports to provide routing functions. The primary mechanism in EIGRP
is the hello datagram, which is used to maintain verification that a router is
still active. When a topology change event occurs in the network, the protocol will establish a connection-oriented communications channel for the
updates.
Many of the EIGRP commands and default behaviors are similar to IGRP in
order to augment migration efforts. For example, EIGRP performs an automatic classful summarization like IGRP, although EIGRP adds VLSM support.
EIGRP Neighbors
One of the most limiting factors regarding EIGRP is the lack of detailed
information about the protocol. A significant component of this is the neighbor relationship. Neighbor relationships are established between two routers
running in the same EIGRP autonomous system (AS).
While the Network Design in the Real World: EIGRP sidebar provides
additional tips regarding EIGRP, most designers would be well advised to
consult with others who have deployed the protocol. Although EIGRP is
extremely powerful, the reality is that little information is available regarding actual deployments. This can be a significant factor in deployments with
high numbers of neighbors, poor addressing and design, and low memory
and CPU availability on the routers. Many problems with EIGRP involve the
number of neighbors, especially with the Route Switch Module (RSM) in the
Catalyst product line. Unlike a router, the RSM typically terminates multiple
www.sybex.com
150
Chapter 4
networks and has many neighborsmore than are found in a typical installation with routers. In addition, the RSM is relatively limited in terms of
backplane connectivity (400Mbps) and processor (an RSP 2). Therefore, a
high number of neighbors will affect an RSM before a comparable installation with RSP 4s and a 7513 routera factor that has impacted many
EIGRP conversions.
www.sybex.com
151
One of the misunderstood concepts in EIGRP is that of the feasible successor. The feasible successor is not selected from any adjacent router that
can reach the destinationrather, the feasible successor must have a lower
metric than the router calculating the feasible successor. Stated another way,
the reported distance, a value determined by the adjacent router providing its
cost to the destination, must be less than the feasible distance, or the secondlowest cost for the calculating router to the destination. The reported distance does not include the cost of the link between the adjacent router and
the calculating router. Figure 4.5 illustrates this concept.
FIGURE 4.5
Router B
Router D
Router E
Router C
In this example, we will presume that the metric is simply based on hop
count. As such, Router B is one hop from Router C, and Router D is three
hops from Router C. The destination in this example is Router C, and the
router we are concerned with is A, which is two hops away.
Router A, assuming all links are active, will place into the routing table a
route through B to Cthis is clearly the shortest path through the network.
However, it will not place a feasible successor route in its table using the
route A-D-E-B-C. In the event of link failure between A and B, the router
must recalculate the path to C. The rationale is that in order for a route to
be feasible, it must have a lower cost to the destination than the current routing metric on the router itself. For example, D would consider D-A-B-C to be
feasible in the event of link failureAs cost to C is one hop less than Ds.
The behavior of feasible successors is related to the protocols primary
objectiveno loops may exist in the topology at any time. By always selecting a router with a lower metric, the protocol avoids such scenarios, even
though this may hinder convergence. Most EIGRP convergence scenarios
complete within one second; however, in the worst case a properly working
www.sybex.com
152
Chapter 4
www.sybex.com
153
This message may result from one of two problemsthe first is simply a
lack of available memory on the router to calculate the route. A route that
is unparsed (undergoing recomputation) is considered active, whereas a stable route that has been placed in the tables is passive. The second possible
cause is a lack of bandwidth on the link between the two routerspreventing communications between them for route update transmission. One
method for addressing this problem is to augment the available bandwidth
EIGRP is allocated. By default, EIGRP cannot consume more than 50 percent of the link. Another technique that can help is route summarization.
Designers should keep in mind that EIGRP maintains not only its routing
table but also the routing table of each adjacent router. This fact is significant in understanding the importance of summarization, small neighbor
relationships, and the routing update mechanism. DUAL uses this additional
information to determine the feasible successor, and this data determines
whether a computation is required.
Route summarization in EIGRP is automatic across major network boundaries, but many administrators disable this feature in order to take advantage
of manual summarization on all boundaries and gain more control. For discontiguous subnets, this feature must be disabled. This powerful feature not
only reduces the size of the routing table but also provides a strong motivator
for readdressing projects. The best EIGRP designs yield very small core routing
tablesdivided at a very high level based on summarization.
Designers should also note that EIGRP can maintain six routes to a destinationa characteristic that can reduce convergence time, as the router
simply moves packets to the remaining paths.
www.sybex.com
154
Chapter 4
EIGRP designs tend to be most successful when using the three-tier, hierarchical model.
www.sybex.com
155
This section has noted that designers typically select EIGRP as a replacement for IGRP without describing some of the reasons a designer would do
so. Here is a list of advantages provided by EIGRP:
Low bandwidth consumption (stable network) When the network is
stable, the protocol relies only on hello packets. This greatly reduces the
amount of bandwidth needed for updates.
Efficient use of bandwidth during convergence When a change is made
to the routing topology, EIGRP will enter a period of active convergence.
During this time, the routers will attempt to rebuild their routing tables to
account for the changetypically the failure of an interface. To conserve
bandwidth, EIGRP will communicate only changes in the topological
database to other routers in that AS, as opposed to communication of the
entire routing table, which consumes a great deal of bandwidth, especially
in larger networks.
Support for VLSM As noted previously, EIGRP supports variablelength subnet masks. This support, along with support for classless Internet domain routing (CIDR), can greatly assist the network designer by
offering greater flexibility in IP addressing.
Designers should use some caution in deploying VLSM in the network.
Ideally, there should be only two or three masks for the entire enterprise.
These typically include /30 and /24. The reason for this is not specifically a
routing protocol limitation, but rather a consideration for troubleshooting
and other support issues. The concepts of VLSM and CIDR have been
around for many years, but an understanding of both features, especially in
the server and workstation arenas, is still wantingnetwork designers may
find that their workstation support staffs are unfamiliar with these concepts
and may find resistance to a readdressing effort. Remember that IP addressing affects not only the network, but also all other devices in the network,
including Dynamic Host Configuration Protocol (DHCP), workstations,
and servers. In well-administered networks, the use of VLSM is transparent
to end users. However, the lack of familiarity by administrators and users
can cause problemsconsider the impact on the network if end users
changed their subnet mask to the default value because they found it to be
wrong. The problem is not technical but educational. Fortunately, these concerns and issues are being quickly eliminated from the landscape as VLSM
gains in popularity and designers become more familiar with it. Recall from
www.sybex.com
156
Chapter 4
Pay special attention to memory and CPU capacity on routers that will run
EIGRP. The protocol can be very memory intensive, especially as the number
of neighbors increases.
www.sybex.com
157
Limit the number of neighbors. This is easier said than done, especially
when the network has evolved over time. One technique is to use passive interfaces, although doing so significantly diminishes the overall
benefits of EIGRP. Cisco recommends the use of ODR in hub-and-spoke
designs, which can also reduce the number of neighbor relationships,
but again, this reduces the overall benefits of EIGRP. The generic guidelines recommend that EIGRP neighbors be kept to fewer than 30; however, this is dependent on the amount of memory and the number of
routes. Networks have failed with fewer neighbors, and a small number
of networks have deployed over 70 neighbors successfully.
Dont use the automatic redistribution feature unless the network is very
simple. Automatic redistribution is a feature Cisco provides in order to
make IGRP-to-EIGRP migration easier. You configure this feature by setting the AS number to the same value in the two protocols. The automatic feature works well, but many administrators find that it does not
afford enough control over the redistribution process, which may be
necessary for the migration.
Administrators and designs should disable automatic route summarization and manually summarize routes whenever possible. Route summarization is an automatic process within the major network address, and
it may require readdressing. However, summarization reduces the size
of the routing table and can further enhance stability and convergence.
www.sybex.com
158
Chapter 4
The router ID of the router that redistributed the route (EIGRP redistribution) and the AS number of that router
An external route tag that the administrator can use for filtering
IGRP does not provide an external route mechanism. Therefore, the protocol
cannot differentiate between internally and externally learned routes.
The Open Shortest Path First (OSPF) protocol is perhaps one of the
most difficult routing protocols to configure correctly. This is due to the protocols feature set, which includes route summarization and the ability to use
areas to logically divide various elements in the network. OSPF is a nonproprietary, link-state routing protocol for IP. It was developed to resolve some
of the problems found with the RIP, including slow convergence, susceptibility to routing loops, and limited scalability. Given its nonproprietary
nature, OSPF may be better suited for network designs than IGRP and
EIGRP when non-Cisco equipment is a design criterion. Many educational
networks use OSPF.
OSPF supports various network types, including point-to-point and
broadcast/nonbroadcast multiaccess networks. Hellos are used to establish
neighbor relationships under most circumstances; however, manual configuration is needed for nonbroadcast multiaccess networks. The hello mecha-
www.sybex.com
159
nism communicates with the designated router in each area and will be
presented in greater detail later in this chapter. These occur at 10-second
intervals and do not incorporate the entire routing table. Every 30 minutes,
OSPF will send a summary link-state database, regardless of link failure; the
rest of the time only hellos will traverse the link. Link failure will cause additional updates, and this process will be defined later as well.
OSPF uses the Dijkstra algorithm to calculate the shortest path for the
network. In addition, OSPF supports VLSM and discontiguous subnets. Discontiguous subnets are subnets within a major network that are split by a
different major network.
Apart from a VLSM-aware routing protocol, such as OSPF, discontiguous subnets are handled by the use of secondaries, or tunnels to link the two segments of the major network.
From a design perspective, OSPF relates well with the textbook three-tier
model. Consider the following guidelines and limitations of the protocol as
they relate to the three-tier model:
Keep workstations and other devices off the backbone. In both models, the core/backbone is a critical resource that should never contain nonnetwork devices. In designing a small network, the designer may use
OSPF with a single areathe special backbone area zero. Under these circumstances, workstations and other devices will have to be included in
this area. Under all other circumstances, designers will wish to keep the
core as a secure transit area. This will reduce eavesdropping efforts and
maintain a stable network. Note that OSPF backbones are best served
when hosts are not placed in this backbone, a design criterion shared with
the hierarchical model.
Maintain a simple backbone topology. As with the previous guideline,
both OSPF and the three-tier model benefit from stable, simple
backbones.
Limit each area to less than 100 routers and incorporate no more than 28
areas in the network. These Cisco recommendations for OSPF design
match well with the demands of most networks designed under the threetier model.
www.sybex.com
160
Chapter 4
Description
Internal router
Backbone router
Autonomous system
boundary router
www.sybex.com
161
Some sources state that internal routers may contain the routers within area
zero. This is not accuratearea zero backbone routers are usually not considered internal routers. Due to their role, they are backbone routers.
Autonomous System
Boundary Router
To Other Network
Backbone
Routers
Area 0
Area 1
Area 2
Area Border
Routers
Internal Routers
www.sybex.com
162
Chapter 4
area will have the same link-state database, which will incorporate information from all link-state advertisements (LSAs) for the area. Within the area,
this information will incorporate specific links, and when learned from other
areas and external (other AS) sources, this information will include specific
links, summary links, and default links.
The concept of areas benefits the network greatly. For instance, convergence times can be greatly reduced by summarizing routes at the area border
router. In addition, the requirement that all areas connect directly with area
zero works to limit the depth of the entire network, which typically aids in
the design and troubleshooting processes.
While it is preferable to keep all areas directly connected to area zero, it is possible to attach an area to area zero through another OSPF area. This is called
a virtual link. Designers should avoid using virtual links whenever possible.
It can be preferable to make each summarization area equal; however, subnets within the area can take advantage of VLSM functionality. Remember
that VLSM address allocations are best limited to two or three masks.
www.sybex.com
163
via the shortest path first (SPF) algorithm, nor do the routing tables change
inside the shielded area.
Within each area, a single router is elected to be the designated router. The
designated router, or DR, is selected by an election process that uses the
highest IP address on the router. Most administrators use the loopback interface to override the highest IP address and manually manage the election of
the DR. A Priority-ID may also be used to determine DR during election. It
is preferable to use a router with the most memory and CPU capacity for the
DR. In addition to the DR, a backup designated router (BDR) is also selected
to provide redundancy in the event the primary router fails. The designated
router provides an aggregation point for OSPF LSAs. Note that the command ip ospf priority may be used to make a router the DR. Under these
circumstances, the IP address is used in the event of a tie.
One last consideration for designers is the configuration of stubby areas
and totally stubby areas. (Dont laugh, thats what theyre called.)
A stubby area consolidates external links and forwards summary LSAs,
specific LSAs, and the default external link, which is analogous to the default
route of 0.0.0.0.
The concept of a totally stubby area is Cisco IOS-specific. Only the
default link is forwarded into the area by the area border router. The command to configure this feature is area {N} stub no-summary. Because the
totally stubby area receives only a default route, it is limited; however, it also
works to control the total number of routes advertised into an area, which
may benefit the designer in controlling routing propagation.
www.sybex.com
164
Chapter 4
TABLE 4.4
LSA Type
Description
Router link
advertisement
Network link
advertisement
Also an intra-area information advertisement, the network link advertisement contains a list of routers attached to a network
segment. The designated router will send
this update for all other routers on
multiaccess networks.
Summary link
advertisement
3&4
External link
advertisement
External link advertisements present information about routes in other autonomous systems. Type 5 is used by the
ASBR. These updates are allowed to flood
all areas. There is a great deal of information regarding OSPF, including external
link advertisements, that is beyond the
scope of this text. It is recommended that
readers interested in additional information on OSPF consult the RFCs and other
texts on the subject, including the Cisco
Web site.
There are two additional LSA types. Type 6 is for Multicast OSPF, or
MOSPF. Type 7 is defined for NSSAs, or not-so-stubby areas. While both may
gain popularity in the future, they are not commonly found in most networks.
www.sybex.com
165
OSPF Costs
Interface
Type
Cost
FDDI
(100Mbps)
Ethernet
(10Mbps)
10
Serial T1
(1.544Mbps)
64
Serial 56K
(56Kbps)
1728
www.sybex.com
166
Chapter 4
OSPF convergence
www.sybex.com
167
www.sybex.com
168
Chapter 4
At present, ODR is not incorporated into the CID exam or its objectives. However, the protocol is very useful in simplifying small hub-and-spoke network
routing, as it adds virtually no overhead.
It would be most accurate to describe ODR as a routing process. However, the process relies on the Cisco Discovery Protocol (CDP). The CDP
packets are a proprietary method for exchanging information between two
Cisco devices. The majority of this information is used in troubleshooting
and administration. For example, CiscoWorks and other SNMP/RMON
(remote monitoring) tools now use the CDP information to assist in the discovery and map-building processes.
ODR adds another function to CDP. By listening to CDP packets in a simple hub-and-spoke design, a master router (located at the hub) is able to
learn about all the other routers in the network. The remote routers are configured with a single default route to the hub. This design does not provide
many of the benefits of a formal routing protocol, but it will provide connectivity and status regarding the remote router interfaces without consuming
additional bandwidth. Of course, CDP can be disabledit is on by default.
Figure 4.9 illustrates a typical ODR installation.
As of this writing, Cisco does not support CDP on ATM links. However, this
feature and support for secondary interfaces are documented as available in
IOS 12.0.
www.sybex.com
FIGURE 4.9
169
On-demand routing
Rest of Network
Running IGP
EIGRP
ODR
This section provides greater detail regarding the BGP protocol and process than required for the Cisco objectives. The extra information is provided because of the limited amount of information available on the
protocol and the likely migration by Cisco toward greater use of BGP in
enterprise deployments.
However, Cisco has recently advocated the use of BGP in the internal network when the network gets particularly large. Consider for a moment how
you might design a network with 10,000 routers. Even OSPF with multiple
areas will have difficulty handling that many devices, to say nothing about
the introduction of new networks and, in some cases, acquired companies.
BGP is best described as a path-vector routing protocol. The protocol, in
this context, is less concerned with the internal routes and more concerned
www.sybex.com
170
Chapter 4
www.sybex.com
171
Administrators are advised to use the loopback address on the router for all
BGP traffic. Doing so can work to stabilize the routing process and maintain
connectivity in the event of an interface failure. This stability is the result of the
TCP session being established via the loopback interfacea link failure, given
other paths, will not require re-establishment of the TCP session between
BGP pairs.
Multi-homed BGP configurations can bias the exit point advertised by the
eBGP peer. This is called the multi-exit discriminator, and it may be used to
provide a fixed valuethe lowest is preferredor it may be based on the
IGP metric, which is typically provided by OSPF. Note that this value does
not propagate beyond the link.
Administrators may also use route maps to modify and influence the routing tables. Route maps operate on a match-and-set model where conditions
may be checked before the router applies the set. For example, the administrator may wish to modify only routes from network 172.16.0.0. In this configuration, the route map would match 172.16.0.0 and then set the modified
value. The administrator may wish to use this function to adjust the metric.
The following BGP configuration is provided as a sample of some of the
commands used. In reality, BGP configurations can be very simple; however,
most installations to the Internet require additional parameters that can
cause difficulty. Notice how the specific IP address of each neighbor is provided in the configuration and that the update-source for AS 65342 is
defined as Loopback0. The route-map Filter has also been applied.
router bgp 65470
no synchronization
bgp dampening
network 10.9.14.0 mask 255.255.255.0
neighbor 192.168.19.33 remote-as 65391
www.sybex.com
172
Chapter 4
neighbor
neighbor
neighbor
neighbor
Function
Adjunct-RIB-In
Adjunct-RIB-Out
Contains routes that the local BGP speaker will advertise to peers.
Local-RIB
While these databases are presented as separate entities, they are not necessarily so.
www.sybex.com
TABLE 4.7
173
Function
Phase 1
Phase 2
Selects the best route for each destination and places that route into the appropriate Local-RIB.
Phase 3
Typically a route will have a best path that the router can use, but it is possible to have a tie. In this scenario, the lowest multi-exit discriminator
(MED) value is used to break the tie. If the MED is not provided, the route
with the lowest interior distance cost will be used. BGP speakers with the
lowest BGP identifierthe IP addresswill win ties as well. This is another
use of the loopback address in BGP installations.
www.sybex.com
174
Chapter 4
IS-IS makes use of a two-area structure, with area defined as layers. Layer
1 is used for intra-domain routing, whereas Layer 2 is used for inter-domain
routingLayer 2 linking two routing domains (areas) in the IS-IS syntax.
Hierarchies are established as Layer 1 routers need only find a Layer 2 router
for forwardingsimilar to a border router in OSPF.
Metrics in IS-IS, by default, are comprised of a single path valuethe
maximum value of which is 1024. Individual links are limited to a maximum
setting of 64. IS-IS also provides a limited quality-of-service function in its
CLNP header, which can account for other link costs. CLNP stands for Connectionless Network Protocol, which was originally developed for the routing of DECnet/OSI packets. The protocol has been modified to support IP.
At the present time, there is little reason to select IS-ISEIGRP and OSPF
dominate the marketplace. The Cisco Web site provides additional information on the protocol, should you wish to study it further.
Summary
RIP
RIP v2
OSPF
IGRP
EIGRP
BGP
www.sybex.com
Summary
175
The chapter also identified some of the reasons IP routing might be better
handled by one protocol than another. Incorporated into that decision were
a number of criteria, including the following:
Availability
Scalability
Ease of administration
Bandwidth efficiency
Multi-vendor interoperability
Fewer than 100 routers per area and fewer than 28 areas
www.sybex.com
176
Chapter 4
Review Questions
1. IS-IS defines areas:
A. As Layer 1, which is intra-area, and Layer 2, which links two areas
B. As a single AS linked by multiple ABSRs
C. As multiple Layer 1 inter-area links
D. As Layer 2 intra-areas and Layer 1 transit areas.
2. Under IGRP, split horizon would be off, by default, for which of the
following?
A. Token Ring
B. Ethernet
C. SMDS
D. FastEthernet
E. None of the above
3. IGRP will do which of the following?
A. Send hellos every 10 seconds.
B. Send hellos every two hours.
C. Send the entire routing table every 90 seconds.
D. Send only changes to the routing table every 90 seconds.
4. In IGRP, the default update timer is:
A. 30 seconds
B. 60 seconds
C. 90 seconds
D. 120 seconds
www.sybex.com
Review Questions
177
routes metric?
A. Bandwidth
B. Delay
C. Reliability
D. Loading
E. MTU
F. Hops
7. Which of the following would be a benefit in using static routes?
A. Low bandwidth utilization
B. 10-second updates
C. Automatic configuration
D. Load balancing
8. Which of the following routing protocols support VLSM?
A. RIP
B. RIP v2
C. OSPF
D. IGRP
E. EIGRP
www.sybex.com
178
Chapter 4
www.sybex.com
Review Questions
179
major network
B. A single summary route from a major network
C. Not permitted in OSPF
D. Permitted in OSPF, but not part of the link-state database
15. OSPF can load-balance, by default, how many routes?
A. 2
B. 4
C. 6
D. OSPF cannot load-balance.
16. The algorithm used by OSPF is called which of the following?
A. DUAL
B. SPF (Sequenced Packet Format)
C. Dijkstras
D. Radia
17. The OSPF link-state summary table is sent under which of the follow-
ing circumstances?
A. Every 30 minutes
B. Every 90 seconds
C. Every 30 seconds
D. Every time there is a change in topology
www.sybex.com
180
Chapter 4
administrator must:
A. Disable auto-summary
B. Use different AS numbers
C. Manually summarize routes
D. Use static routes, as EIGRP cannot support this function manually
19. Which of the following would not be considered an advantage
of OSPF?
A. An open standard supported by many vendors
B. Quick convergence
C. Support for discontiguous subnets
D. Use of unicast frames for information exchange
E. Support for VLSM
20. Which of the following would likely not be configured by a corporate
WAN designer?
A. Stub AS
B. Transit AS
C. Multi-homed AS
D. All of the above
21. IS-IS is:
A. A classless, distance-vector protocol suited to small networks
B. A classful, link-state protocol that scales to support large networks
C. An exterior routing protocol used in the Internet
D. A classless, link-state protocol that supports large networks
E. An interior routing protocol used to support small networks
using ATM
www.sybex.com
Review Questions
181
www.sybex.com
182
Chapter 4
www.sybex.com
Chapter
Designing AppleTalk
Networks
CISCO INTERNETWORK DESIGN EXAM
OBJECTIVES COVERED IN THIS CHAPTER:
Use Enhanced IGRP for path determination in internetworks
that support IP, IPX, and AppleTalk.
Examine a clients requirements and construct an appropriate
AppleTalk design solution.
Choose addressing and naming conventions to build
manageable and scalable AppleTalk internetworks.
Use Cisco IOS features to design scalable AppleTalk
internetworks.
www.sybex.com
he design goal of any network is typically the same: provide a scalable, logical platform from which users may complete tasks and other functions with a high degree of performance and reliability.
www.sybex.com
185
Maintain scalability.
www.sybex.com
186
Chapter 5
The designer should also keep in mind that AppleTalk is not a single protocol, but rather a family of protocols that interoperate. These protocols
include:
According to convention, this chapter will use the term AppleTalk. However,
a protocols definition is actually based on its underlying physical media.
Thus, the correct terms are EtherTalk, FDDITalk, and so forth.
www.sybex.com
FIGURE 5.1
187
www.sybex.com
188
Chapter 5
www.sybex.com
189
AppleTalk Addressing
The AppleTalk protocol was designed to limit the amount of technical
expertise required to configure the workstation for operation on the network. As a result, the workstation has virtually no configuration options and
obtains its address via a dynamic querying process.
In AppleTalk, the network administrator will assign a cable range, or
block of addresses that the workstations will use. For our purposes, we will
ignore the issues between AppleTalk phase one and phase two and assume
the use of only phase two in this presentation. Recall that AppleTalk phase
one does not permit cable ranges and allows for only 127 node addresses, as
reflected in Table 5.1.
www.sybex.com
190
Chapter 5
TABLE 5.1
Number of network
addresses per
segment
65,279
Number of host
addresses per network
255
Table 5.1 presents AppleTalk phase two as being virtually unlimited in terms
of host addresses. This is due to the theoretical capability of AppleTalk to
consider cable range 165,279 as one network and 253 hosts per single cable
range (cable range 11, for example). Thus, the true number of maximum
nodes in an AppleTalk network is approximately 16 million. Although possible,
this number is well beyond the broadcast and physical limitations of most networks, and most cable ranges do not span more than 10 digits (1019, for
example).
For additional information regarding AppleTalk phase one and phase two,
please refer to CCNP: Cisco Internetwork Troubleshooting Study Guide
(Sybex, 1999).
www.sybex.com
191
hundreds of nodes. Note that these 10 cable ranges become a single logical network. This is comparable to expanding the mask in IP, but AppleTalk networks do not share the concept of a separate net mask. For
example, nodes on cable range 1019 might appear as 14.91 and 17.132. In
this case, both nodes are on the same network.
Cisco recommends that AppleTalk cable ranges follow some numerically
significant schema, and more importantly, that administrators and designers
document these numbers. Remember that the ranges cannot overlap and
must remain unique within the network.
Some administrators assign network numbers based on the geography of
the environment. A campus with five buildings might have four-digit cable
range numbers. The first digit could relate to the building, the second to the
floor within that building, and so on. Since there are over 64,000 network
numbers available, the designer should be able to develop a numbering plan
that is easy to understand, which will simplify troubleshooting.
As noted previously, the node number is a unique identifier of the device
on the network. As a Layer 3 protocol, the network number is the routable
portion of the address spacethe node number is insignificant until the
packet arrives on the local segment.
In addition to the network number and node number, there is a third significant parameter to the AppleTalk address: the socket number. Socket
numbers in AppleTalk are very similar to socket numbers in TCP and UDP.
They provide a specific interface on the node for communications. Therefore, the network-visible entries (NVEs) are identified by three addressing
parameters: the 16-bit network number, the 8-bit node number, and the
8-bit socket number. Network-visible entries are network devicesa fancy
term to describe a host, server, printer, or other element that might appear
to the user.
AppleTalk Naming
One of the conveniences of AppleTalk is its use of names to identify
resources within the network, which is not unlike the DNS and WINS (Windows Internet Naming Service) services in the IP world. However, unlike
the two IP naming techniques, AppleTalk included naming in the initial
protocol.
In fact, there are actually two names in the AppleTalk arena: the zone
name and the resource name. Consider the zone name in the same manner
www.sybex.com
192
Chapter 5
you might think of a sub-domain name in the IP DNS structure. The main
difference between the two naming schemes is that AppleTalk does not
incorporate the idea of sub-domains and hierarchical structures. Alternatively, for those more familiar with Windows, AppleTalk is similar to the
workgroup model. Resources are members of a grouping, but the grouping
is only one of many equalsnames in AppleTalk are flat. The DNS structure
allows for names to traverse multiple layersfor example, the file server in
Marketing in the fifth building in Dallas. AppleTalk designers are limited to
using names such as Marketing or Marketing_Dallas for their structures.
From a design standpoint, zone names in AppleTalk are usually implemented with two parallel viewpoints in mind. The names need to be used by
both the user community and the network administrators, and fortunately,
in this instance, the solution will please both groups.
AppleTalk zone names are case sensitive. Nonetheless, there are instances
when connectivity may appear to function correctly even though the router
has the incorrect form of the name. Such an installation will eventually experience some problem that will require resolution. Some designers use all
lowercase names to avoid this issue.
Designers ideally will select zone names that reflect the departmental
grouping related to each particular network, typically resulting in names like
Marketing for the Marketing group and Human Resources for the
Human Resources group. This naming scheme will help users locate the services provided by devices in each zone, and typically, these groups (departments, like Human Resources) will be physically located in the same general
area. Such a scheme will also further assist administrators, because troubleshooting is simplified when the Marketing zone is no longer visible in the
Chooser.
The Chooser is the service-selection tool in the Macintosh OS. It lists all zones
in the network. Once the user selects a zone, all of the resources in that zone
will be presented, and the user can select a resource within the zone.
www.sybex.com
193
Do not place all WAN networks into a single zone. While AppleTalk supports
multiple cable ranges per zone, it is best to limit each zone to a single cable
range. Designers may wish to span a select number of zones for some service
clusters.
Since the Chooser lists zone names in alphabetical order, most designers use
a prefix of at least one Z when they want to move these zones to the bottom
of the list. This tactic is very appropriate for WAN segments and other nonuser-related zones.
www.sybex.com
194
Chapter 5
www.sybex.com
FIGURE 5.2
195
www.sybex.com
196
Chapter 5
Dynamic routing within the AppleTalk environment may use a number of protocols, which include AppleTalk RTMP, AppleTalk EIGRP
(Enhanced Interior Gateway Routing Protocol), and AURP (AppleTalk
Update-Based Routing Protocol). This section will introduce each of these
along with information for designers to consider when selecting the appropriate protocol for their environment.
While floating static routes are typically not incorporated into most
AppleTalk designs, Cisco introduced the concept of floating static routes
for AppleTalk in IOS version 11. This feature may be useful for designers
when incorporating backup routes into the network.
AppleTalk RTMP
The default AppleTalk routing protocol is RTMP, which is very similar
to the Routing Information Protocol (RIP) found in IP. Both protocols are
limited to a hop count of 15, and AppleTalk always incorporates a splithorizon update mechanism. Unlike IP RIP, though, RTMP sends updates
every 10 seconds. Updating so frequently significantly adds to the chatty reputation of the overall protocol. Updates appear in the form of tuples,
which contain the cable range and hop count values.
The designer must consider a number of factors with RTMP. First, networks are limited to 15 hops due to the requirements of the routing protocol.
This limitation may not be a large concern, as a well-designed network
should rarely need 15 hops between networks, but the limitation remains
and is a factor in the design. Second, RTMP is very chatty, as noted before, and
so the designer may wish to use another protocol to conserve bandwidth
and resources. However, this option is not always available because workstations and servers need to hear updates in order to operate on the network.
Consequently, populated segments do not have RTMP disabled.
The designer should also consider the following with regard to AppleTalk
RTMP packets:
www.sybex.com
197
By using this information, the designer may calculate the impact that routing updates have on the network. This impact is especially important on lowspeed WAN links, where bandwidth may be severely limited. It is clear that
a large routing table, transmitted every 10 seconds in its entirety, would
quickly consume a substantial percentage of the bandwidth on a 56Kbps
circuit.
Partial-mesh networks are also thwarted by the demands of split-horizon
updates in RTMP. As a result, designers will need to use full-mesh topologies
or consider the other two routing protocols, AT EIGRP or AURP. The
EIGRP version of AppleTalk is perhaps best suited to address this problem.
AppleTalk EIGRP
As with all of the EIGRP routing protocols, the AppleTalk EIGRP (AT
EIGRP) is proprietary to Cisco and requires the administrator to commit to
an all-Cisco solution. For some environments, this restriction does not pose
a significant shortcoming, and the use of AT EIGRP can greatly enhance the
scalability of the AppleTalk protocol.
Unlike EIGRP for the IP and IPX protocols, AT EIGRP does not use the same
autonomous system (AS) or process identifier for all routers in the network. In
fact, the AT EIGRP identifier must be different for each router in the network
that will participate in AT EIGRP. This requirement is an important design and
documentation consideration that should be incorporated into the addressing
and naming convention. In addition, the number following the AT EIGRP command, appletalk routing eigrp router-number, is not an AS number but a
router-number, as shown.
www.sybex.com
198
Chapter 5
bandwidth (updates occur only following a network change) and rapid convergence (under one second following a link failure). Of course, convergence
times within the RTMP environment will be limited by that protocol.
AURP
No, someone didnt just lose their lunch. AURP specifies a standard way of
connecting AppleTalk networks over point-to-point lines, including dial-up
modems and T1 lines. More importantly, it provides a specification for tunneling AppleTalk through foreign network systems, such as TCP/IP, X.25,
OSI, and DECnet.
AURP also reduces routing update traffic. As opposed to the default 10second update interval of RTMP, AURP updates routing tables only when a
network change occurs. These updates include changes only to the topology
and not the entire routing table, which further reduces the volume of traffic
on the WAN link. Another benefit to the protocol is that it is an open standard under the Internet Engineering Task Force (IETF), which makes it well
suited to multivendor environments. The same is not true with AT EIGRP.
Designers should remember the following when considering AURP:
www.sybex.com
199
AURP sends routing updates only when needed, reducing routing traffic overhead.
AURP allows for manipulation of the hop count, permitting potentially larger networks than would be available with RTMP. Designers
using this technique can reduce the number of hops at the AURP tunnelthus, a network eight hops away can appear to be only two hops
away, based on the designers configuration.
AppleTalk
AURP Tunnel
AppleTalk
IP-only WAN
Macintosh
Macintosh
www.sybex.com
200
Chapter 5
typical Cisco access list, a number of protocol-specific access lists are available to the designer, including ZIP filters and NBP filters. These will be presented in this section.
www.sybex.com
201
www.sybex.com
202
Chapter 5
TABLE 5.2
Function
appletalk distribute-list in
appletalk getzonelist-filter
appletalk access-group
appletalk permit-partial-zones
www.sybex.com
203
www.sybex.com
204
Chapter 5
www.sybex.com
205
Macintosh IP
Macintosh IP (MacIP) was an interesting protocol, albeit a short-lived one.
Rather than providing an IP stack, MacIP acted, more accurately, as a proxy
or gateway. While most modern installations use a fully compliant version of
the IP stack for the Macintosh, MacIP software allowed IP connectivity over the
lower-level DDP protocol and required the command appletalk macip for
operability on Cisco routers.
MacIP was most frequently configured to support LocalTalk or AppleTalk Remote Access (ARA). These installations required MacIP in order to
permit clients access to IP resources. LocalTalk was a low-bandwidth networking solution that preceded AppleTalk. ARA is still used in some installations, and it was an efficient means of connecting Macintosh devices to the
network via a modem.
Configuration of MacIP required the following:
The MacIP zone name configured had to be associated with a configured or seeded zone name.
www.sybex.com
206
Chapter 5
AppleTalk Interoperability
This chapter has already addressed a number of AppleTalk interoperability issues, including tunneling and the AppleTalk version of EIGRP.
However, there are a few other items to keep in mind.
First, while AppleTalk generates a significant number of broadcasts in
the network, the impact of other protocols on AppleTalk-only nodes is
greatly reduced. Stated another way, IP and IPX broadcasts are discarded by
AppleTalk-only devices at an earlier point than broadcasts in other protocols. In
fact, AppleTalk-only stacks will discard all packets from all other Layer 3
protocols.
Second, the number of broadcasts in AppleTalk will significantly impact
other devices on the network. Both IP and IPX stacks will process AppleTalk
broadcasts like any other broadcast. Therefore, adding IP to Macintosh systems or running IPX- and IP-based PCs on segments with AppleTalk devices
will greatly magnify the impact of broadcasts.
In most current networks, designers have removed, or are in the process
of removing, AppleTalk. Where AppleTalk segments remain, the general
guideline is to use less than 200 nodes to populate a segment.
Summary
he AppleTalk protocol is perhaps one of the most user-friendly networking protocols ever developed. Unfortunately, the scalability limitations
of the protocol and the impact of the Internet (with its implied dependence
on IP) have restricted its usage.
In this context, this chapter addressed the issues that confront network
designers using AppleTalk in both large and small networks and also suggested methods by which the designer might address the limitations of the
RTMP protocol. This might include the use of AppleTalk EIGRP, access
lists, and specific naming and addressing conventions.
In addition, this chapter addressed some of the enhancements to the
AppleTalk protocol, including AURP and the efficiency of using MacOS version 7. Also, filters specific to AppleTalk were reviewed.
Readers should be fairly comfortable with the features and benefits of
AURP and AT EIGRP as they relate to the default RTMP as well. The operations of the Chooser in AppleTalk networks are also important concepts to
understand.
www.sybex.com
Review Questions
207
Review Questions
1. Which of the following are limitations of the AppleTalk protocol?
A. No hierarchical addressing scheme
B. No hierarchical naming scheme
C. High dependence on broadcasts
D. All of the above
2. When using the AppleTalk version of EIGRP, what unique convention
must be followed?
A. The same AS number must be used on all routers in the domain.
B. Different process numbers must be used on each router in the
domain.
C. RTMP must have the same AS number as AT EIGRP.
D. There is no version of AppleTalk EIGRP.
3. To connect two AppleTalk networks across an IP-only backbone, the
www.sybex.com
208
Chapter 5
should:
A. Design cable ranges that are numerically significant
B. Use MacOS version 7 or greater
C. Use RTMP
D. Use AT EIGRP
www.sybex.com
Review Questions
209
frequently?
A. Every 3 seconds
B. Every 5 seconds
C. Every 10 seconds
D. Every 60 seconds
12. Two devices are addressed as 4.5 and 7.9, respectively. Are they in the
www.sybex.com
210
Chapter 5
systems.
B. It provides TN3270 emulation.
C. It is faster than TCP/IP for file transfers.
D. It is similar to a proxy service.
15. Which of the following is a reason to use tunnels for AppleTalk?
A. Additional overhead and processing
B. Transport of AppleTalk over IP-only networks
C. Additional security
D. Compatibility with CDP
16. Node number 231 is on cable range 5059. Which of the following is
www.sybex.com
Review Questions
211
office model
D. Be the same for all WAN segments
19. Which of the following is not true regarding MacIP?
A. It requires at least one IP network.
B. It requires at least one AppleTalk network.
C. The MacIP server must be in the AppleTalk network.
D. It operates only with AppleTalk Remote Access (ARA).
20. AppleTalk tunnels are best configured in:
A. Star configurations
B. Ring configurations
C. Hierarchical configurations
D. None of the above. Tunnels are available only on point-to-point
serial links.
www.sybex.com
212
Chapter 5
Some designers may note that tunnels can be encrypted, thus augmenting security. However, enhanced security is not a primary reason
to use tunnels for AppleTalk in this context.
16. D.
17. A.
18. C.
19. D.
20. A.
www.sybex.com
Chapter
Designing Networks
with Novell and IPX
CISCO INTERNETWORK DESIGN EXAM
OBJECTIVES COVERED IN THIS CHAPTER:
Use Enhanced IGRP for path determination in internetworks
that support IP, IPX, and AppleTalk.
Examine a clients requirements and construct an appropriate
IPX design solution.
Choose the appropriate routing protocol for an IPX
internetwork.
Design scalable and manageable IPX internetworks by
controlling RIP and SAP traffic.
www.sybex.com
or many years, Novells IPX protocol commanded a significant share of the networking market. However, like AppleTalk, Novells IPX
protocol is being replaced with TCP/IP in most modern networks.
As with AppleTalk, IPX was designed to simplify administrative functions
and avoid some of the manual, complex tasks that were required by administrators and designers. For example, IPX does not incorporate the concept
of subnets, which negates the need for calculating subnet masks or prelimiting the number of hosts that will be supported by the network. This is
both a positive and a negativeadministrators need to configure the network address only once and all workstations will automatically learn this
information. However, this automation adds to the total overhead.
This chapter will address many of the common issues that arise when
designing IPX networks, and it will also provide some direction to creating
a scalable design.
www.sybex.com
TABLE 6.1
215
IP
IPX
Automatic
addressing
Automatic
address assignment
requires DHCP.
Automatic
naming
Route
summarization
Available.
Internet
connectivity
Subnet masks
The IP protocol is
designed around the
concept of subnet masks.
Scalability
www.sybex.com
216
Chapter 6
Also, note that Cisco routers typically require the configuration of an IPX
internal network number for NLSP and other services within the Novell
environment. As with other network numbers, the internal network number
must be unique within the internetwork.
While there are many similarities between IP RIP and IPX RIP, please note that
they are different routing protocols.
www.sybex.com
217
In order to reduce the possibility of routing loops, IPX RIP must use split
horizonsimilar to the requirement with AppleTalk RTMP. In addition,
IPX RIP employs a lost-route algorithm that helps prevent routing loops.
This function also locates new routes upon failure.
Similar to IP
Load Balancing
Process switching
Yes
Packet by packet
Fast switching
No
Packet by packet
Autonomous/silicon
Yes
Destination by
destination
Designers can modify the default IPX RIP metrics by using the ipx delay
command.
www.sybex.com
218
Chapter 6
Do not infer from Table 6.2 that IPX cannot be fast-switchedit can. Its behavior is different from the characteristics of IP fast switching. Also note that
some versions of the IOS, including 11.2(12), have problems with IPX fast
switching, and administrators should upgrade their routers as applicable.
www.sybex.com
TABLE 6.3
219
Command
Input
input-sap-filter
Output
output-sap-filter
Source
router-sap-filter
The IPX SAP access lists are numbered from 1000 to 1099 and are configured in a similar fashion to IP access lists. The syntax is as follows:
Access-list {number} [deny | permit] network[.node]
[service-type[server-name]]
A network number of 1 will match any network, and a service type of 0
will match all services. Like other access lists, SAP access lists are parsed in
sequence and with an implicit deny at the end.
SAP update timers can also be controlled without filtering the contents.
You accomplish this with the ipx sap-incremental command, which was
introduced with Cisco IOS 10.0. This option is available to administrators
without the IPX EIGRP protocol as well. The argument rsup-only is added
to the command.
For use with non-Cisco equipment, it is possible to adjust the default
update increment for SAP broadcasts; however, you must deploy this option
with caution and consistency. The benefit of this option is the reduction of
bandwidth consumed by SAP broadcasts. However, as with most options,
the designer and administrator must accept a compromise. As the time
between updates increases, the time for notification of a failed service also
increases. This may not be a significant concern in most networks, but it is
worth considering before selecting this SAP control option.
www.sybex.com
220
Chapter 6
IPXWAN
While it is uncommon, there may be an instance when the designer or administrator would wish to connect a Novell server to a Cisco router via the
Point-to-Point Protocol (PPP). Such installations are occasionally used for
disaster recovery.
The IPXWAN protocol operates over PPP to provide accurate routing
metrics on dial-up connections, which is accomplished via a handshake process. IPXWAN is an established standard, which permits interoperability
between non-Cisco devices. Cisco has supported the protocol since IOS 10.0.
It was noted previously that IPXWAN links incorporate a cost of six ticks.
This is automatically resolved when using IPXWAN over PPP. The command ipx link-delay is used to adjust the cost of each link. Table 6.4 provides suggested delay values based on formulas from Cisco and Novell. Note
that these values were developed for IPXWAN 2.0.
TABLE 6.4
Ticks
9600 bps
108
19.2Kbps
60
38.4Kbps
24
56Kbps
18
128Kbps
12
256Kbps
1.544Mbps
www.sybex.com
221
Encapsulation
Ethernet 802.3
novell-ether
Ethernet 802.2
sap or iso1
Ethernet SNAP
snap
Ethernet II
arpa
Token Ring
novell-tr
snap
FDDI SNAP
snap
FDDI 802.2
sap or iso1
www.sybex.com
222
Chapter 6
e0.2
e0.1
NetWare Server
Network 100
Ethernet II Frame Type
www.sybex.com
223
www.sybex.com
224
Chapter 6
Length: 34
Transport Control:
Reserved: %0000
Hop Count: %0000
Packet Type: 0 Novell
Destination Network: 0x00000000
Destination Node: ff:ff:ff:ff:ff:ff Ethernet Brdcast
Destination Socket: 0x0452 Service Advertising Protocol
Source Network: 0xf3df9b36
Source Node: 00:60:08:9e:2e:44
Source Socket: 0x4000 IPX Ephemeral
SAP - Service Advertising Protocol
Operation: 3 NetWare Nearest Service Query
Service Type: 4 File Server
Extra bytes (Padding):
......... 00 04 00 04 00 04 00 04 00
Frame Check Sequence: 0x00000000
Novell networking adheres to a client-server model in almost all cases. Therefore, servers are strictly servers and clients are resources that use the services
provided by servers. This differs from AppleTalk and Microsoft peer-to-peer
networking, where clients can be servers as well.
www.sybex.com
225
ost distance-vector routing protocols are inefficient when compared to link-state routing protocols. These inefficiencies include high bandwidth utilization, slow convergence, and limited route calculations. Linkstate protocols improve upon distance-vector protocols; however, they typically consume substantial amounts of processor and memory resources.
In order to improve the scalability of the IPX protocol, Novell developed
NLSP, or the NetWare Link Services Protocol. NLSP is an open standard
that greatly improves upon the limitations found in IPX RIP. These benefits
include faster convergence, lower bandwidth consumption, and a greater
network diameter.
www.sybex.com
226
Chapter 6
Networks that use both IPX RIP and NLSP are limited to the 15-hop diameter
imposed by IPX RIP. It is possible to adjust the hop count during redistribution; however, this can be confusing in a troubleshooting scenario and should
only be used with clear documentation and training.
Unlike IPX EIGRP, NLSP is available on servers, which can permit its use
on populated segments. This factor can facilitate migration to an all-NLSP
network, which would allow for a greater network diameter.
In addition, NLSP supports route aggregation, a service not supported by
IPX EIGRP or IPX RIP. This option can greatly reduce the size of the IPX
routing table.
Network architects should limit the number of routing nodes per NLSP
area when designing their networks. The recommended limit is approximately 400 nodes; however, a more accurate impact definition may be found
with the formula n*log(n).
NLSP is also best deployed with each area contained in a geographic
regiona single campus, for example. Large, international IPX networks
should not place all routers in a single area.
Incorporating NLSP into a network design is made easier by the automatic redistribution mechanism on Cisco routers. Routers running both IPX
RIP and NLSP will automatically learn of the other processs routes, and the
implementation will automatically limit the likelihood of routing loops.
Note that this may lead to suboptimal routing, and designers should verify
the routing table following implementation to confirm that the paths
selected are, in fact, the most desirable.
Some administrators are leery of deploying NLSP because they believe
that readdressing will be required. Readdressing is necessary only to create
logical areas for summarization. If the network resides in a single area,
readdressing will not be required.
This leads to a design consideration for new networks, of course. Designers
should strive to create logical addressing schemes even when not designing for
NLSP, for two reasons. First, a logical addressing scheme will greatly assist in
address assignments and troubleshooting. Second, the use of logical addressing will avail route summarization options in the future should the network
expand beyond the initially conceived boundaries.
www.sybex.com
227
Consider a network design where slow frame-relay links are used for the
WAN. The designer would likely select NLSP over IPX RIP and IPX EIGRP
for the following reasons:
Partial-Mesh Topology = n1
N is equal to the number of routers in the network. These formulas discount redundant links and other considerations.
Figures 6.3 and 6.4 illustrate the use of NLSP and the summarization of
addresses within NLSP areas.
FIGURE 6.3
NLSP areas
Area 1
100000001FFFFFFF
Area 3
300000003FFFFFFF
Area 2
200000002FFFFFFF
www.sybex.com
228
Chapter 6
FIGURE 6.4
10000001
Area 3
300000003FFFFFFF
10000101
10000102
10000003
10000103
10000002
Area 2
200000002FFFFFFF
www.sybex.com
229
The tick count is not incremented when converting from IPX RIP to IPX
EIGRP. The hop count is incremented at each conversion; thus, two hops
are added when going from IPX RIP to IPX EIGRP and on to another IPX RIP
segment.
www.sybex.com
230
Chapter 6
FIGURE 6.5
Marketing
MKT*
e0
e1
Human Resources
HR*
e2
Sales
SLS*
While Figure 6.5 shows varying-length prefixes for NetBIOS names, most
administrators and designers use a convention that fixes the length at two
or three characters. Some designs use geographic considerations for filtering as well.
IPX Type 20
As noted previously, NetBIOS was originally designed around flat networks
that would support broadcasts. However, this solution cannot scale beyond
a few hundred nodes, which mandated the use of an alternative lower protocol for NetBIOS traffic. In IP, this protocol is defined as NetBT. In Novell
IPX it is called NWLink. By encapsulating NetBIOS in a routable protocol,
the network can scale to greater dimensions.
Novell IPX can also support NetBIOS broadcasts in otherwise routed
designs. This is serviced with the ipx type-20-propagation command.
This command instructs the router to forward all NetBIOS broadcasts to all
other interfaces. Remember that routers typically drop broadcasts by
default, and the ipx type-20-propagation command does not affect those
broadcasts.
www.sybex.com
IP eXchange Gateway
231
The NetBIOS protocol is fundamental to Windows networking. It will be presented in greater detail, as it relates to Windows, in Chapter 7. Please note that
Windows 2000 and Active Directory promise to remove the dependency on
NetBIOS from the Windows environment.
IP eXchange Gateway
www.sybex.com
232
Chapter 6
One of the beneficial features of the IP eXchange gateway was its use of
a single IP address to service all the clients in the network. This greatly simplified troubleshooting and administration.
Figure 6.6 illustrates the connectivity between devices in the IP eXchange
environment.
FIGURE 6.6
IPX
IP
IP
IP-Only Resource
Internet
www.sybex.com
233
from activating, so the server believes that it is still connected to the remote
workstation.
SPX spoofing is another useful service in DDR environments. This service
operates at the remote end of the DDR connection and acknowledges SPX
keepalives transmitted by the client. This may be for an rconsole (a remote
administration tool for Novell servers) session or connectivity to an SAA
(Novell SNA or Systems Network Architecture) gateway. The use of SPX
spoofing prevents the router from activating the circuit, which usually
reduces costs in the DDR environment.
Figure 6.7 illustrates the IPX watchdog process. Figure 6.8 illustrates the
SPX spoofing function. Note that watchdog spoofing was introduced in
Cisco IOS version 9.1.9, and SPX spoofing was introduced in 11.0.
FIGURE 6.7
IPX watchdog
SPX Spoofing
Novell Client
FIGURE 6.8
SPX spoofing
IPX Watchdog Spoof
Novell Server
Novell Client
www.sybex.com
234
Chapter 6
Summary
IPX RIP
IPX NLSP
IPX EIGRP
The use of IPX EIGRP and NLSP to improve the routing process
www.sybex.com
Review Questions
235
Review Questions
1. Load balancing is available for IPX on Cisco routers with which of the
following commands?
A. ipx load-balance
B. ipx maximum-paths
C. ipx fast-cache all-interfaces
D. Not available for IPX
2. The network diameter is limited to which of the following when using
IPX RIP?
A. 7 hops
B. 15 hops
C. 16 hops
D. 224 hops
3. Cisco routers can support more than one IPX frame type on a major
www.sybex.com
236
Chapter 6
destination.
A. True
B. False
7. The general rule of thumb regarding IPX limits the number of nodes
www.sybex.com
Review Questions
237
www.sybex.com
238
Chapter 6
13. The designer wants to deploy the most scalable, standards-based, IPX
www.sybex.com
Review Questions
239
spoofing?
A. To prevent activation of DDR circuits
B. To filter SAP broadcasts
C. To make sure DDR circuits do not disconnect
D. To encapsulate these packets across WAN links
19. The delay for GNS queries on a serverless segment is (assume version 11.2
segment.
C. Encapsulate GNS queries for transport to a central server.
D. The router does not respond to GNS queries. This is a server
function.
www.sybex.com
240
Chapter 6
This is one of the few times when the Cisco solution isnt the requested
one. IPX EIGRP is not an open standard and requires the use of all
Cisco routers.
14. D.
15. C.
16. B.
17. C.
18. A.
19. C.
20. A.
www.sybex.com
Chapter
www.sybex.com
Windows 95/98
Windows NT/2000
www.sybex.com
Desktop Protocols
243
Desktop Protocols
Broadcasts
The issue of broadcasts in designs has been raised throughout this book. This
is predominately due to the client workstation impact of broadcasts and the
overhead on the individual processors caused by receipt of those datagrams.
This is not an issue with unicasts, where the destination station performs all
processing required by the upper-layer protocols. However, in broadcasts,
all nodes in the broadcast domain must process the packet, and the majority
of the nodes will discard the information, resulting in waste.
Broadcasts may be measured using two methods: broadcasts per second
and broadcasts as a percentage. A good metric is dependent on the number
of broadcasts per second100 being a recommended guideline. Unfortunately,
most networkers learned a long time ago that 10 percent broadcast traffic
was a threshold and that networks were healthy so long as traffic remained
www.sybex.com
244
Chapter 7
below that value. Yet in practice, using a percentage as a metric is too limited
for a number of reasons:
The percentage method does not consider the true impact of broadcasts in the network. For example, bandwidth is not a concern until
collisions, contention, buffering, and other factors are surpassed
none of which relates to broadcasts directly.
Broadcasts require the host processor to parse the datagram before the
packet can be discarded. Since most broadcasts are not destined for a
specific host, this is unnecessary overhead.
Windows Networks
Most scalable NetBIOS designs require the use of filters. This mandates a naming convention that lends itself to access lists.
www.sybex.com
Windows Networks
245
Windows Domains
The domain concept establishes the authentication and security administration model for Windows-based networks. However, there are times when
scalability or administrative concerns warrant the use of more than a single
domain controller.
There are several domain models that are employed in modern Windows
networks. They range from the relatively simple single domain, which is best
suited to smaller organizations, to the multiple master domain model, which
is typically used in large, multinational organizations.
Single domain A single domain model is best used for small to mediumsized environments with a single administrative scope.
Global domain The global domain model incorporates numerous
domains that are administered by different organizations, typically within
the same corporation. In this configuration, all domains trust all other
domains.
www.sybex.com
246
Chapter 7
Master domain In the master domain model (see Figure 7.1), all other
domains trust a single master domain. This model may be well suited to
situations when authentication needs to be centralized but control of
resources needs to be administered at the departmental level. The master
domain trusts no other domain.
FIGURE 7.1
Single
Domain
Single
Domain
Single
Domain
Multiple master domain The multiple master domain model (see Figure 7.2) is simply a scaled-up version of the master domain model. In this
configuration, multiple master domains trust each other, and each individual master domain is responsible for serving as the master domain for
its single domains.
FIGURE 7.2
Single
Domain
Single
Domain
Master
Domain
Single
Domain
Single
Domain
Single
Domain
www.sybex.com
Single
Domain
Windows Networks
247
LMHOSTS
The first generation of name resolution services for NetBIOS involved the
LMHOSTS file. This file was manually maintained and static, and it resolved
host names in the LAN Manager (LM) environment. The file could be maintained on each host and typically listed only a few critical resources, including off-subnet domain controllers.
The LMHOSTS file could also reside on the Primary Domain Controller.
In this configuration, the clients would query the PDC for information.
Unfortunately, this configuration required a great deal of manual effort, and
maintenance of the file was only possible for small networks. Therefore, this
configuration is not recommended as a modern solution.
www.sybex.com
248
Chapter 7
WINS
Designers need to remember that Windows-based networking was originally
designed for small, single-network environments. This meant that broadcasts were an acceptable method for registering and locating services. However, in modern routed networks, broadcasts are not permitted to cross
Layer 3 boundaries. In addition, addressing of IP resources migrated from
static assignments to dynamic ones, which simplified administration at the
host and worked to prevent the waste of IP v4 addresses.
It became fairly clear that the LMHOSTS file would not scale to support
significant networks. Each machine was tasked with maintaining its own
file, and administrators either frequently scheduled downloads to keep the
information on each workstation current or they had to maintain an
LMHOSTS file on the PDC that was referenced by each workstation in the
network.
To provide a dynamic method for registering NetBIOS names and associating them with IP addresses, Microsoft developed the Windows Internet
Name Service (WINS). The service provides the following benefits:
Dynamic host address assignment (DHCP, or Dynamic Host Configuration Protocol) can be used while preserving name resolution
services.
www.sybex.com
Windows Networks
249
The WINS mechanism requires that the workstation know the address of
the WINS server. This may be manually configured on the client, but it is typically provided in concert with DHCP. With the specific IP address of the
WINS server, the client may communicate using unicast packets.
The WINS server may also be accessed via a subnet broadcast mechanism,
and designers may wish to consider using the WINS Relay function to forward WINS datagrams. This installation effectively proxies the WINS server
onto the local subnet but, due to the extra administration and cost factors,
is seldom used. Recall that proxies add additional overhead and latency
Finally, there may be multiple WINS servers on the network for redundancy and scalability. These servers interconnect via a replication process.
Under this configuration, the client is configured (locally or via DHCP) with
multiple WINS server addresses. Upon bootup, the client registers with a
WINS server; if a server in the list is unavailable, the client attempts a connection with another in the list. This configuration is particularly common in
international networks, as the latency and cost of sending name information
across the WAN is quite high (albeit quickly becoming cheaper). However,
performance for the end user is substantially greater with a local name resolution resource.
In a campus configuration, WINS servers may be deployed at the distribution layer in order to provide redundancy. The challenge for most designers is to limit the number of serversand like most other things, simpler is
better. Two or three WINS servers should not prove to be a significant problem
regarding replication overhead and administration. However, some early
deployments opted for a WINS server per domain or per department. Such
a design quickly falls into the bad thing category.
www.sybex.com
250
Chapter 7
statically entered name and IP address information. The static nature of DNS
is also its most significant negative, as the administrator must manually
establish and maintain each entry. This precludes the use of DNS in DHCP
environments, where the address is assigned dynamically.
A fairly new enhancement to DNS has emerged within the past year
Dynamic DNS (DDNS). The DDNS specification is compatible with traditional DNS, but information regarding addresses and host names is learned
dynamically. This makes DNS compatible with DHCP, which is a significant
enhancement in the address assignment arena.
In Windows NT, it is also possible to configure the interchange of WINS
information into the DNS structure. This permits non-Windows-based
systemsUnix hosts, primarilyto use name references. Most large network designs create a sub-domain for names learned via this method. Thus,
an existing Unix DNS structure is maintained for company.com, for example,
while a sub-domain of wins.company.com is referenced for the dynamic
entries. In addition, Windows clients may use DNS information for name
resolution.
DHCP
www.sybex.com
DHCP
251
Address assignments
Cisco routers can provide limited DHCP services; however, most installations
make use of a dedicated server.
www.sybex.com
252
Chapter 7
www.sybex.com
DHCP
FIGURE 7.3
www.sybex.com
253
254
Chapter 7
Address Range
Administration
192.168.1.1 to 192.168.1.31
Users
192.168.1.32 to 192.168.1.254
www.sybex.com
DHCP
TABLE 7.2
255
Address Range
Administration
192.168.1.1 to 192.168.1.31
Users, Server A
192.168.1.32 to 192.168.1.127
Users, Server B
192.168.1.128 to 192.168.1.254
The configuration shown in Table 7.2 would support 95 users under the
worst-case single failure. Given this information, designers should consider
the network mask in use, the number of users per subnet, expansion, VLSM,
and other factors before selecting a DHCP redundancy method.
Older DHCP clients required access to the DHCP server on each boot before
they could use the address previously assigned, even if the lease interval was
still valid. This behavior has been changed in newer releases of the client software, and the workstation can use the assigned address up to the end of the
lease.
Address Assignments
Certain network devices do not lend themselves to dynamic address assignment. Routers, switches, managed hubs, servers, and printers all fall into
this category. Many networks opt to define an address block for these
devices at the beginning or end of the subnet. For example, possibly all host
addresses from .1 to .31 are omitted from the DHCP scope for manual
assignment. This assumes that no network mask on populated segments
uses less than /24 (255.255.255.0), which is a consideration when composing a number scheme.
www.sybex.com
256
Chapter 7
Designers may also choose to include servers and other devices in the network with permanent, dynamic assignments. The DHCP server may be configured with a static entry that includes the MAC address of the interface card.
Either of the two above methods permits an entry in the DHCP database
that maintains a single address for the resource. However, the latter method
raises the potential for the server to lose its lease for the address. While no
other host may use the address, the server must renew its lease as if the
address were truly dynamic.
NetBIOS Protocols
www.sybex.com
NetBIOS Protocols
FIGURE 7.4
SMB
NetBIOS
LLC
DLC
FIGURE 7.5
SMB - Browser
SMB
NetBIOS
UDP
IP
DLC
www.sybex.com
257
258
Chapter 7
FIGURE 7.6
MSRPC/IPC
SMB Named Pipes
SMB CIFS
NetBIOS
TCP
IP
DLC
www.sybex.com
NetBIOS Protocols
FIGURE 7.7
259
IP eXchange
Internet
FDDI Ring
Windows Client
www.sybex.com
260
Chapter 7
schools and small offices, although basic home networks also may use only
NetBEUI/NetBIOS.
In these networks, a single station is elected the Browse Master. All other
stations advertise their presence on the network with a broadcast and use a
broadcast to locate resources. The election of the Browse Master is also handled via broadcasts, and the network can support several backup Browse
Masters. Remember that this type of network was deployed frequently in
peer-to-peer environments, not in client/server installations (for which the
broadcast model works well).
Designers should note that the SAMBA utility is available for Unix hosts to
provide SMB (Server Message Block) services to Windows-based systems.
This permits file and print sharing (functions that use the SMB protocol) without the need for the NFS and LPD Unix applications on Windows.
www.sybex.com
FIGURE 7.8
261
Windows Client
Corporate WAN
US WINS Server
Windows Client
Windows Client
www.sybex.com
262
Chapter 7
RAS Notation
TCP/IP
IPCP
IPX
IPXCP
NetBEUI
NBFCP
Cisco products will also support these encapsulations when running IOS version 11.1 or greater.
Summary
www.sybex.com
Summary
263
Windows networking incorporates a number of standards and proprietarybased services, including WINS, DHCP, DNS, DDNS, NBT, NWLink, and
domains, which are important for the designer to understand and consider
when architecting the network.
This chapter discussed the following topics:
In most modern networks, designers need to focus on the Windows environment more than Novell and AppleTalk. However, understanding the
mechanisms by which each of the desktop protocols operates will greatly
facilitate troubleshooting and support considerations. In addition, designers
are frequently called upon to support multiple platform installations or to
migrate from AppleTalk and IPX to IP.
While not addressed in this chapter, cost and history also are factors in
NetBIOS/Windows network design. The battles between Novell and
Microsoft have been effectively rendered moot, and the best outcome from
this history is a realization that the best tool for the job makes the most sense.
The issue of thin Windows clients (terminals that display only applications served from a multiuser server) is also outside the scope of this chapter.
www.sybex.com
264
Chapter 7
In short, much progress has been made in the technology of these tools in
recent years. Designers should carefully measure the traffic loads generated
by these devices, particularly during traditional peak traffic periods. Thin clients can greatly simplify administrative issues, but it is important to ensure
that sufficient capacity to store all data on the server is available, and that all
mouse/keyboard and video updates are transmitted efficiently across the networksuch datagrams consume a surprising amount of bandwidth.
www.sybex.com
Review Questions
Review Questions
1. Designers planning to use WINS must:
A. Plan to install a WINS server on every subnet
B. Manually enter all IP and NetBIOS name information
C. Also configure a DHCP server
D. Consider the need for multiple WINS servers
2. The LMHOSTS process:
A. Is suited to small networks only
B. Is recommended for large networks only
C. Requires the use of DHCP
D. Dynamically learns PDC and BDC information
3. NetBIOS over IPX is called:
A. NBT
B. NetBEUI
C. NWLink
D. NetBIOS does not operate over IPX
4. Broadcasts:
A. Are fine so long as they consume less than ten percent of
bandwidth
B. Are unnecessary with desktop protocols
C. Should be reduced whenever possible to reduce unnecessary
www.sybex.com
265
266
Chapter 7
networks:
A. The ability to configure the PDC on NetWare servers
B. The ability to configure up to three BDCs to run on three different
NetWare servers
C. The ability to provide IP connectivity without loading IP on each
client
D. IPX HRSP
7. Microsofts RAS product:
A. Provides DHCP services
B. Uses the PPP protocol
C. Supports IP only
D. Cannot run on an NT server
8. Traditionally, DNS was unable:
A. To dynamically interoperate with DHCP
B. To translate names to IP addresses
C. To operate in Unix environments
D. To accept manual mappings
www.sybex.com
Review Questions
267
stations and servers while providing access to the Internet and Unix
servers. The best solution would include:
A. IP eXchange and NWLink
B. NBT and IPX
C. NBT, WINS, DHCP, and TCP/IP
D. NetBEUI and Cisco GSR routers
10. Broadcasts are controlled:
A. With switches
B. With routers
C. With hubs
D. With repeaters
11. Designers attempt to reduce broadcasts for which of the following
reasons?
A. Broadcasts require unnecessary processing by the workstations.
B. Broadcasts consume four times the bandwidth of data.
C. Broadcasts are not necessary in LAN protocols.
D. Broadcasts cannot operate in NBMA topologies.
12. In order to reduce bandwidth requirements on the WAN link, the
designer might:
A. Place the DHCP server at the remote site and keep the lease timers
short
B. Place the DHCP server at the remote site and lengthen the lease
timers
C. Centralize the DHCP server and use the default DHCP timers
D. Use multiple DHCP servers with short timers
www.sybex.com
268
Chapter 7
www.sybex.com
Review Questions
269
purposes. Therefore:
A. The DHCP scope should include a reservation block of addresses
in the subnet for servers or should not include the address range.
B. DHCP cannot be used in the subnet.
C. Servers must all use the address 0.0.0.0 for all datagrams.
D. WINS must be used.
19. The master domain:
A. Trusts all single domains
B. Is trusted by all single domains in the group
C. Shares a bi-directional trust with all single domains
D. Can be the only domain in the corporation
20. The LAN services browser mechanism is replaced by:
A. DHCP
B. DDNS
C. WINS
D. LMHOSTS
www.sybex.com
270
Chapter 7
www.sybex.com
Chapter
www.sybex.com
While SMDS is included in the CID exam objectives, its availability has waned
in recent years. Standard ATM services have effectively replaced such installations, while Frame Relay has always held a substantial market share. SMDS
did not fail due to technologyin fact, it was a very good protocol. Rather, it
required additional expertise and expensive equipment compared to the
alternatives. Many providers never offered the technology.
Copyright 2000 SYBEX , Inc., Alameda, CA
www.sybex.com
273
www.sybex.com
274
Chapter 8
and there is no requirement to define each possible link ahead of time. Second, switched services typically share bandwidth better within the cloud. As
this chapters discussion turns to committed information rates (CIRFrame
Relay) and SCR (Sustained Cell RateATM), you will see that the network
can logically adapt to the requirements of the users and allow bursts of traffic
within the constraints of total capacity.
When reviewing the WAN technologies and designs presented in this
chapter, it is important to consider the following issues: reliability, latency,
cost, and traffic flows and traffic types. Most network designers focus ultimately on cost as the most important design consideration; however, reliability may require additional expense. Latency, various traffic flows, and
traffic types are supported with most modern technologies and thus lose
some importance in modern designs. Of course, this text ignores some of the
older and more limited protocols in WAN design, such as BiSYNC and digital data system (DDS) circuitstwo areas in which these issues deserve
more prominence.
Reliability
Unlike LAN connections, WAN links tend to be a bit unstable and often are
unreliable. This may be due to fiber cuts, equipment failure, or misconfiguration by the service provider. Unfortunately, it is difficult to add reliability to
www.sybex.com
275
Latency
Latency, the delay introduced by network equipment, has become a minor
concern in most designs as protocols have migrated toward delay tolerance
in the data arena. However, with voice and video integration on data networks, even todays wire-speed offerings may require the attention once
afforded time-sensitive protocols on slower links; this would include SNAP
(Sub-Network Access Protocol), used in mainframe connectivity. Modern
network designs can address these issues with queuing, low-latency hardware, cell-based technologies like ATM, and prioritization. One of the benefits afforded by ATM is a consistent latency within the network.
The latency category frequently incorporates throughput and delay factors. Compared to LANs, most wide area links are very slow, and performance suffers as a result. Designers should work with application developers
and server administrators to tune the network to address this limitation. Possible solutions include compression and prioritization (queuing), yet these
functions can degrade performance more than the link if not deployed correctly. Designers should also make use of static routes or quiet routing protocols and employ other techniques, such as IPX watchdog spoofing
www.sybex.com
276
Chapter 8
(discussed in Chapter 6), to control overhead traffic. Under the best circumstances, designers should focus on moving limited amounts of data between
servers on very slow WAN links whenever possible.
Cost
WAN networking costs typically exceed those for a LAN. There are a number of reasons for this; the most significant factor is the recurring costs that
exist in WAN networks. Unlike the LAN, where the company owns the connections between routers, the WAN infrastructure is owned by the telecommunications provider. As a result, the provider leases its fiber or copper
cables. This differs from LAN installations, where the company purchases
and installs its own cable. The initial cost of establishing a WAN may be
greater, but the lack of recurring costs quickly reduces the amortized impact.
The technologies used to reduce WAN costsFrame Relay, ATM, and
SDMSare presented throughout this chapter. Yet in short, Frame Relay
www.sybex.com
277
provides the greatest savings per megabit. ATM is quickly providing savings
in WAN costs, but this is based more on the integration of voice and data
than on lower tariffs.
Though not discussed in this book, both MAN-based Ethernet and DSL, a
shorter-range technology, appear to further reduce WAN costs.
SDLC
Ciscos HDLC
www.sybex.com
278
Chapter 8
The data frame for each of these protocols is derived from SDLC, which
is used in SNA. As shown in the following illustration, there are five components to the frame, excluding the variable-length data portion. The beginning frame flag is one byte in length and contains a hexadecimal pattern of
0x7F. The ending frame flag is set to 0x7E. The address field is shown as one
byte, but it can be expanded to a two-byte value. The control field marks the
frame as informational, supervisory, or unnumbered. The frame check
sequence (FCS) provides limited error checking. Ciscos HDLC encapsulation adds a type field between the control and data fields, and PPP places
a protocol field in this location.
Flag
(1 byte)
Address
[1 or 2 byte(s)]
Control
(1 byte)
Data (Variable)
FCS
(2 bytes)
Flag
(1 byte)
HDLC
Ciscos implementation of the HDLC protocol is the default serial line
encapsulation on the router. It supports the AutoInstall feature, which permits remote configuration of newly installed routers; however, it is also proprietary. Regardless of this limitation, most administrators use Cisco HDLC.
PPP
The Point-to-Point Protocol provides a number of benefits over the HDLC
encapsulation; however, it also includes a slight amount of overhead by comparison. The fact that PPP is an RFC standard is its greatest advantage, but the
protocol also offers authentication and link-control features. Authentication is
typically provided by the Password Authentication Protocol (PAP) or by the
more secure Challenge Handshake Authentication Protocol (CHAP).
www.sybex.com
279
LAPB
Link Access Procedure, Balanced is a reliable encapsulation for serial connections. It provides the data-link layer for X.25, but it may be used without
that protocol. LAPB features link compression and excellent error correction, which makes it well suited to unreliable analog media. Because of this
overhead, LAPB tends to be slower than other encapsulations.
One of the configuration options in LAPB is modulo, or the sequence
number. Initial implementations of LAPB supported only eight sequence
numbersmodulo 8, which quickly resulted in a windowing delay for
higher speed connections. (Modulo 128 was developed to address this limitation.) Designers should make certain that the same value is used on both
sides of the link.
rame Relay networks offer the network designer many benefits that
do not exist in point-to-point, leased-line transports. These include:
Distance-insensitive billing
The ability for data to burst above the tariffed data rate
Most vendors offer Frame Relay under a fairly simple tariff, or cost structure, based on the reserved capacity of the virtual circuit. Leased lines charge
on a per-mile basis, and the bandwidth charge is equal to the total capacity
of the circuit. As a result, Frame Relay connections can be significantly less
expensive, especially when traversing hundreds of miles.
Circuit costs are recurring and thus can quickly overshadow any installation
and capital expenditures.
www.sybex.com
280
Chapter 8
unused because the connection is dedicated. Frame Relay circuits are typically provisioned with a bandwidth reservation lower than the capacity of
the link256Kbps on a T1, for example. Vendors combine virtual circuits
so that the remaining bandwidth is utilized, but if the physical media has
unused bandwidth, any of the virtual circuits can burst beyond their allocation and temporarily increase their available bandwidth.
Frame Relay circuits are typically provisioned with two distinct bandwidth parameters, unlike standard HDLC or switched-56 circuits, which are
provisioned with the data rate equal to the port speed. In addition to the
physical capacity of the circuit, Frame Relay incorporates a committed information rate, or CIR.
The CIR function varies with different telecommunications vendors,
though most use the value to represent a guaranteed available bandwidth to
the customer. This may be calculated on a per-second or per-minute basis,
but the net result is that customers can reserve bandwidth at a lower level
than the capacity of the local loop connection. For example, a CIR of
768Kbps on a T1 would offer at least 768Kbps to the customer and provide
a burst up to 1.5Mbps for a short duration.
Switched virtual circuits (SVCs) are available in Frame Relay, yet most vendors do not support this configuration. As a result, this chapter discusses PVCbased Frame Relay connections only. PVCs and SVCs are discussed in more
detail later in this chapter.
The Frame Relay switch simply takes one port/DLCI connection and forwards it to another port/DLCI connection. In this context, the term port
refers to the physical interface, and DLCI refers to the logical Frame Relay
interface. DLCIs only have local significance, and while vendors typically
www.sybex.com
281
assign a single DLCI for each link in the PVC, it is possible to have different ones.
Consider the connections shown in Table 8.1:
TABLE 8.1
DLCI Connections
San Francisco to Denver
Port 1, DLCI 100
Denver to Chicago
Port 7, DLCI 200
These connections are shown in Figure 8.1. Note that each physical connection in the diagram carries two user DLCIs, and that while a single
Frame-Relay switch is shown for clarity, there would be more switches for
such long connections. There are three PVCs in this full-mesh configuration.
FIGURE 8.1
10
11
12
200, 400
Chicago
100, 200
Denver
www.sybex.com
282
Chapter 8
Cisco routers default to the Frame Relay Forum LMI specification, and
many designers use that default. A number of vendors recommend Annex D
because of its improved congestion handling. For reference, the LMI frame
format is illustrated in Figure 8.2.
FIGURE 8.2
Flag
(1 byte)
LMI DLCI
(2 bytes)
Message
Type
(1 byte)
Information
(Variable)
Unnumbered
Protocol
Information
Discriminator
Indicator
(1 byte)
(1 byte)
FCS
(2 bytes)
Call
Reference
(1 byte)
Flag
(1 byte)
www.sybex.com
283
Nonbroadcast Multiaccess
One of the more advanced concepts in WAN design involves the concept of
nonbroadcast multiaccess (NBMA) technologies. Unlike LAN protocols,
WAN installations were originally designed around simple point-to-point
connections. Addressing was unnecessary, and in the most basic installations, a connection required only one device to be DTE and the other DCE.
Such connections are often used to link to routers together without the benefit of a DSU/CSU (data service unit/channel service unit).
Nonbroadcast multiaccess networks acknowledge the limitations of most
WANs in comparison to local area networks. The typical wide area network
does not lend itself well to broadcasts. This reflects the nonbroadcast portion
of NBMA. The multiaccess portion acknowledges that some WAN technologies provide more than one destinationrecall that the first WAN links
were simple point-to-point configurations.
www.sybex.com
284
Chapter 8
Announce 192.168.2.0
Network
192.168.2.0
www.sybex.com
285
prevent routing loops; disabling this function will again subject the network to
this possibility. The other solutions require a substantial amount of manual
intervention and administrationsteps that are unnecessary. The next section
describes yet another alternativea means to keep split-horizon enabled and
provide full routing in a partial-mesh configuration.
Full-mesh designs are not recommended for OSPF (Open Shortest Path
First). Hub-and-spoke topologies are not recommended for EIGRP
(Enhanced Interior Gateway Routing Protocol), discussed in Chapter 4.
These guidelines are based on the characteristics of each protocol.
www.sybex.com
286
Chapter 8
The second goal is one of support; many remote locations lack the technical
staff to provide troubleshooting and other diagnostic services.
In order to provide users with the most connectivity options, designers
often incorporate dial-on-demand routing (DDR) services on the router.
This configuration makes use of another design conceptfloating static
routes.
Recall the presentation on IP routing and the administrative distance
(AD) parameter. Each route could be provided by one or more routing protocols, and the router maintained an administrative distance that it used to
select routing information. Floating static builds upon this concept of administrative distance. Normally, a static route has an administrative distance of
one, making it one of the best routes from the protocols perspective. This
would tend to override dynamic routing information, which is undesirable in
many instances.
However, if the administrator informed the router that the static route
had an AD of 240 (the highest number is 254), then the dynamic protocols
would have lower ADs and would be used instead. As shown in Figure 8.4,
the IGRP route through the Frame Relay cloud is used under normal circumstances. However, the floating static route between the two modems on the
dial-on-demand connection is used when the Frame Relay link fails.
FIGURE 8.4
DDR Route
AD 240
IGRP Route
AD 100
Modem
Note that floating static routes may be used on any link and are not dependent
on DDR connections.
www.sybex.com
287
Backup Interfaces
An alternative to floating static routes is the backup interface. Under this
configuration, the router is instructed to bring up a link if the interface goes
down. The backup interface is associated with the primary interface. While
this configuration has merits, the use of floating static routes typically works
better in Frame Relay configurations. This addresses the concern of failed
PVCsthe link may remain up/up (interface is up/line protocol is up); however, a switch failure in the cloud will collapse the PVC.
The Local Management Interface was designed to prevent this type of failure,
yet there are specific scenarios that LMI cannot detect.
Since the router has no method for detecting this failure (unlike ATM
OAM cells, discussed later in this chapter), it continues to believe that the
interface is valid. The routing protocol may eventually record the fact that
the link is unavailable, but this requires the use of a routing protocol, which
adds overhead.
www.sybex.com
288
Chapter 8
www.sybex.com
289
The terms virtual path and virtual circuit do not relate to permanence or
switched characteristics. Both PVCs and SVCs require a VPI/VCI pair.
Figure 8.5 illustrates the flow of data through the ATM switches. As with
the DLCI in Frame Relay, the VPI/VCI pair is used by the ATM switch to forward cells.
FIGURE 8.5
VPI 0/
VCI 111
VPI 0/
VCI 71
ATM Client
VPI 0/
VCI 109
ATM Server
While Figure 8.5 presents only a single VPI/VCI for both data directions,
ATM considers each direction independently. In addition, each value has local
significance from the port onlythus the VPI/VCI of 0/67 could be used for
the entire definition. This usage is highly recommended since it facilitates
troubleshooting.
In Figure 8.5, the terms client and server relate to Layer 7 functions, not
ATM services.
www.sybex.com
290
Chapter 8
FIGURE 8.6
VPI 3/
VCI 196
VPI 3/
VCI 196
ATM Client
ATM Server
VPI 3/
VCI 160
VPI 3/
VCI 160
VPI 3
ATM Client
ATM Server
VPI 3/
VCI 189
VPI 3/
VCI 189
ATM Client
ATM Server
www.sybex.com
FIGURE 8.7
291
VPI
VPI
VCI
VCI
Payload Type
VCI
CLP
For switch-to-switch links, the ATM specification calls for the use of the
Network-to-Network Interface (NNI). It omits the GFC (Generic Flow Control) field, as shown in Figure 8.8. The following sections describe each of the
fields found in the UNI and NNI specifications, which should provide a better overview of how these protocols operate in the ATM environment.
FIGURE 8.8
VPI
VPI
VCI
VCI
VCI
Payload Type
www.sybex.com
CLP
292
Chapter 8
Payload Type
The three bits of the payload type (PT) are used to differentiate between user
data and maintenance data, although the VPI/VCI effectively directs this
traffic to the proper destination. In addition, the PT field may be used for
flow control, and it is used for end of message markers in AAL 5.
Connection Associated Layer Management information is referred to as
F5 flow. Congestion information is also incorporated into this section,
depending on the PTI coding bit values. The PTI coding (most significant bit
first) is interpreted as shown in Table 8.2.
TABLE 8.2
PTI Coding
PTI Coding
Definition
000
001
010
011
100
101
110
Reserved.
111
Reserved.
www.sybex.com
293
Segment OAM cells are limited to switch-to-switch connections; the endto-end OAM cells include the router interfaces or end station. F4 type cells
are used for virtual paths and use a VCI of 3; F5 type cells are used for virtual
circuits and use a VCI of 4.
OAM is a powerful tool for the designer, as it provides visibility to the
entire PVC. Unlike LMI in Frame Relay, this tool allows the router (or other
ATM device) to detect faults in the ATM cloudan area that typically
remains veiled from the administrator. As a result, OAM-managed PVCs can
detect a failure within seconds and immediately trigger failover to an
alternate circuit. Without OAM, the network may appear to be functioning properly while discarding all cells.
These bit rate settings correspond to the type of data in the cell. For example, voice traffic is considered constant bit rate (CBR), while data typically
uses unspecified, available, or variable bit ratesUBR, ABR, and VBR,
respectively.
Payload
The payload portion of an AAL 5 cell is 48 bytes. Therefore, a 64-byte frame
in Ethernet would require two cells in ATM, and since each cell must equal
www.sybex.com
294
Chapter 8
53 bytes, the ATM cell is padded. This leads to some concerns in the networking arena that there is too much overhead in ATM when linking framebased networks.
Designers should note that ATM does not provide error checking on the
payload section of the cell; it leaves that responsibility to the upper-layer
protocols.
www.sybex.com
295
PVC. However, vendors have created tools that can graphically define
the PVC and automatically establish the path.
Most data network encapsulation using ATM is defined in RFC 1497.
This RFC outlines the requirements and methods used to transport multiple
protocols over ATM using SNAP. This differs from another RFC-defined
methodology, RFC 1577, which defines encapsulation for IP only.
Figure 8.9 illustrates the use of RFC 1483 with a permanent virtual circuit. Note that RFC 1483 does not require the use of PVCsSVCs are
valid also.
In Figure 8.9, the PVC is defined as an end-to-end connection that does
not terminate at the switch with the physical layer. In addition, the network
layer is the same as frame-based, network-layer trafficIP, for example,
would start at this point. All of the traditional rules regarding subnets and routing apply. The previous layer, RFC 1483, effectively establishes the data-link
layer.
FIGURE 8.9
Node A
Switch
Node B
Application through
Transport Layers
Application through
Transport Layers
Network Layer
Network Layer
RFC 1483
RFC 1483
ATM Adaptation
Layer 5
AAL5
PVC
ATM
ATM
ATM
Physical Layer
OC-3, OC-12
Physical Layer
OC-3, OC-12
Physical Layer
OC-3, OC-12
www.sybex.com
296
Chapter 8
As with Frame Relay, ATM PVCs are typically configured with two bandwidth parameters. The maximum cell rate is referred to as the Peak Cell Rate
(PCR), while the amount of bandwidth available for data is called the Sustained Cell Rate (SCR). The SCR is analogous to the CIR in Frame Relay
(discussed earlier in this chapter), and under the FRF.8 specifications, the two
are somewhat interchangeable. (The FRF.8 and FRF.5 specifications define
the methods by which ATM and Frame Relay traffic are interchanged.)
www.sybex.com
FIGURE 8.10
297
NSAP A
Switch
Q.2931 Signaling
NSAP B
Q.2931 Signaling
UNI
Q.2931 Signaling
UNI
Service-Specific
Convergence Protocol
(SSCOP)
SSCOP
SSCOP
ATM Adaptation
Layer 5 (AAL5)
AAL5
AAL5
ATM
ATM
ATM
Physical Layer
OC-3, OC-12
Physical Layer
OC-3, OC-12
Physical Layer
OC-3, OC-12
ATM Routing
There are two common methods for routing cells across ATM switches:
Interim Inter-Switch Signaling Protocol (IISP) and Private NetworkNetwork Interface (PNNI).
IISP is a static routing model that provides for a backup path in the event
of primary link failure. This is somewhat limited compared to a dynamic
routing protocolIISP cannot take advantage of multiple backup paths.
Designers need to remember that ATM is still a fairly new technology with
many interpretations of the standards, and as a result, IISP was one of the
best routing methods available.
The dynamic routing protocol, PNNI, is an improvement on the manual
and static IISP. However, it is still limited in that the current standard does
not support hierarchical routing and is limited in scalability as a result. PNNI
provides for prefix-based routing and route aggregation while also supporting multiple alternative paths. As ATM network complexity increases,
it becomes more imperative to use PNNI.
www.sybex.com
298
Chapter 8
Both routing protocols support e.164 addresses, which are used in public
ATM networks, and NSAP addresses, which are used in private installations.
NSAP addressing is the 20-octet addressing format, while e.164 is a 10-digit
number similar to phone numbers in North America. Some e.164 addresses
have additional bits/digits, as shown later in the SMDS section.
The design models for ATM are very similar to those used in traditional
networks. For example, configurations may follow the hierarchical model or
operate in a start topology. Most ATM tariffs are quite expensive at present;
however, substantial discounts may be found in local installations. Unlike
most other network technologies, it is very important to avoid congestion in
ATM networks. This is due to the impact of a single lost cell on the data
flowa lost cell may require 20 cells to repeat the frame. All 20 cells will be
retransmitted even though only one cell was lost to congestion. This adds to
the original congestion problem and results in greater data loss.
Cell-based trunk links are provided with either standard 53-byte ATM
cells or the 24-byte FastPacket cell configurations. FastPacket cells are
proprietary.
www.sybex.com
299
It is important to understand the limitations and functions of the StrataCom product. Table 8.3 describes the differences in the various switches.
TABLE 8.3
Features
BPX/AXIS switches
IGX switches
IPX switches
StrataCom switches are usually administered with the StrataSphere Network Management software. These applications provide planning tools
including StrataSphere Modeler and StrataSphere Optimizer. The Statistics
www.sybex.com
300
Chapter 8
agent and BILLder applications are more targeted toward management and
operations functions.
Many changes have occurred with the StrataCom product line and Ciscos
positioning of this platform. Please consult the technical and sales information available online.
Characteristics
Flat
Flat StrataCom networks regard all nodes as equal partners. There are no hierarchical characteristics under this
design. The flat design can support 48 nodes; however,
processing and addressing limitations can impact the
overall success of this deployment. Under the flat design
model, all nodes must maintain information about all
other nodes in the network.
Tiered
StrataComs tiered design model adds hierarchical characteristics to the network and is substantially more
scalable than the flat model. Under the tiered model,
IPX, IGX, and AXIS platforms are connected to a backbone consisting of BPX nodes.
Structured
www.sybex.com
301
www.sybex.com
302
Chapter 8
The router sends only one copy of the packet to the group address. The network/switch is responsible for distributing and repeating that packet to all
members of the group. The network/switch will not transmit the packet back
to the sender, even though the sender is a member of the group.
SMDS required the use of an SMDSU (SMDS Unit) or SDSU (SMDS Data
Service Unit). Since SMDS never attained the volume found with Frame
Relay and other WAN technologies, it is understandable that these DSUs
would have a higher cost.
SMDS supports a number of upper-layer protocols, including:
IP
IPX
AppleTalk
CLNS
XNS
DECNet
Vines
Transparent bridging
www.sybex.com
Summary
303
Summary
Frame Relay
LMI
www.sybex.com
304
Chapter 8
Inverse ARP
ATM
SMDS
The next chapter builds upon some of these concepts as it addresses the
remote access technologies, including ISDN and X.25. Generally, these services are of lower bandwidth than ATM and Frame Relay.
www.sybex.com
Review Questions
305
Review Questions
1. In a flat configuration, the StrataCom switch can support how many
ports?
A. 12
B. 24
C. 48
D. 192
2. Which product would be most appropriate for terminating low-
and data?
A. Frame Relay
B. SMDS
C. ATM
D. ISDN
4. Which of the following WAN technologies is being phased out?
A. ATM
B. SMDS
C. Frame Relay
D. T1
www.sybex.com
306
Chapter 8
AAL 5 specification?
A. It operates with PVC and SVC circuits.
B. It provides 48 bytes per cell for payload.
C. It provides 5 bytes per cell for header.
D. It provides a checksum for the cell payload.
www.sybex.com
Review Questions
307
which features?
A. Single destination per physical interface and per-mile charges
B. Multiple destinations per physical interface and per-mile charges
C. Multiple destinations per physical interface and distance-insensitive
charges
D. Single destination per physical interface and distance-insensitive
charges
11. The BPX switch employs which of the following?
A. A 1.2Gbps frame-based backplane
B. A 3.6Gbps backplane link via the Phoenix ASIC
C. A redundant 1.2Gbps cell-switching bus
D. A redundant 9.6Gbps crosspoint switch matrix
12. StrataCom switches do not provide which of the following services?
A. ATM
B. Video
C. FDDI
D. Voice
www.sybex.com
308
Chapter 8
13. Rather than disabling split-horizon, the designer of a Frame Relay net-
True or false?
A. True
B. False
www.sybex.com
Review Questions
309
18. The structured design model for StrataCom switches employs which
concept?
A. Hierarchical domain model that supports up to 384 nodes
B. Full-mesh model that supports up to 384 nodes
C. Hierarchical domain model that supports up to 64 nodes
D. Partial-mesh model that supports up to 64 nodes
19. DLCIs must be the same throughout the entire PVC. True or false?
A. True
B. False
20. Generic Flow Control provides which of the following features?
A. Congestion control
B. Buffering control
C. Path determination for congestion control
D. None of the above
www.sybex.com
310
Chapter 8
www.sybex.com
Chapter
www.sybex.com
hile the technologies presented in this chapter are different from the WAN systems discussed in Chapter 8, readers should find some
similarities between them. All WAN systems ultimately introduce factors that
are not present in LAN designssometimes these factors are significant.
Consider the fact that most WAN solutions reduce the amount of control
availed to the administrator. This loss of control may be due to a partnership
with a telecommunications provider or to end-user activity. Either factor can
greatly complicate troubleshooting and support.
Another common factor in remote access and WAN solutions is performance. While it is possible to obtain OC-48 SONET (Synchronous Optical
Network) rings (yielding over 2Gbps) for WAN connectivity, these solutions
are also very costly (up to and exceeding $30,000 a month, depending on
distance). Remote-access solutions typically utilize significantly slower connection methods, including X.25, ISDN, and standard telephone services
(PSTN/POTS or Public Switched Telephone Network/plain old telephone
service). Therefore, designers should work with users and application support staff to minimize the demands on the remote access solution, thereby
providing the greatest performance for users.
This chapter will address X.25 and ISDN technologies in detail. It will
also present the various ways remote users access the corporate network,
including remote gateways, remote control, and remote nodes.
This chapter will include a section on xDSL technologies as well. While
xDSL is not on the current CID examination, the quick growth of this transport technology will certainly play a role in future network designs.
www.sybex.com
313
www.sybex.com
314
Chapter 9
be implemented. In addition, careful consideration should be given to oversubscription, as bandwidth is limited. Designers also need to consider X.25
under the same guidelines as any NBMA (nonbroadcast multiaccess) configuration, which was covered in the Frame Relay section of the previous
chapter.
Cisco introduced subinterface support for X.25 in IOS version 10.0. This
eliminated the NBMA factors of partial-mesh connectivity and split-horizon,
so the designer can provide full connectivity with a partial-mesh configuration. As with other subinterfaces, each link is a different network.
The router can also provide the functions of an X.25 switch via its serial
ports. This allows connectivity between two packet assembler/disassembler
(PAD) devices. Unfortunately, X.25 and LAPB are the only protocols supported on the link, which precludes other encapsulations. Both PVC (permanent virtual circuit) and SVC (switched virtual circuit) links are supported.
www.sybex.com
315
Host connections typically terminate with ISDN PRI (Primary Rate Interface) services, which use T1 circuits. This provides 23 B channels, and all signaling occurs on the D channel. Each channel is 64Kbps, for a total data rate
of 1.535Mbps. The remaining bandwidth is overhead.
Designers should carefully review the costs associated with ISDN before
committing to the technology. Since most tariffs are based on per-minute
billing, bills in the thousands of dollars per month are not uncommon
when improper configurations are deployed. This factor is the largest negative regarding ISDN for telecommuting. Users will also notice that connections require a few seconds to be establishedISDN is not an always-on
technology.
www.sybex.com
316
Chapter 9
Remote Access
Over the years, users have demanded access to corporate LANs from
their homes, hotel rooms, and customer sites. These requirements depart significantly from the fairly comfortable and controlled structure of the local
area network.
Copyright 2000 SYBEX , Inc., Alameda, CA
www.sybex.com
Remote Access
317
Remote Gateway
Remote gateways are designed to solve a single remote access need, and as a
result they can be fairly inexpensive. The most common remote gateways are
used for e-mail, but they can be configured to provide other services as well.
A remote gateway is a remote-access device that services a single application.
The key to remote gateway solutions is that they generally do not scale
because the remote gateway device typically processes the application in
addition to the remote session. Therefore, the designer may address a single
www.sybex.com
318
Chapter 9
need quickly without building in scalability. As a result, the designer selecting remote gateway technology would likely purchase separate modems and
phone lines for each gateway deploymentresulting in an expensive longterm solution as more and more gateway services are added.
Remote Control
The concept of remote control has been a powerful tool for diagnostics and
troubleshooting for years. Under remote control, a machine is operated from
a remote location. Everything that can be done locally on the machine is available to the remote user via the application. (PCAnyWhere is one popular
remote-control solution.) As a result, technical support staff have been able to
use this resource to fix workstation problemsa solution much more efficient
than the please click on the button and tell me what it says approach, which
requires training in addition to research and troubleshooting.
For the network designer deploying a remote access solution, the process
is reversed. The host machine is located in the data center and typically contains a fixed configuration that provides access to most of the applications
that would be available to local users on a local workstation. This configuration is sometimes used with thin-client deployments as well. A thin-client
is a workstation that relies on a server for most processing; applications on
a thin-client are typically very small as well. A fat-client maintains more of
the processing and servicing on the workstation.
For remote users, this solution offers some powerful advantages. First, the
configuration and support issues are virtually limited to the server system.
The remote user need only be concerned with the remote-control client. Second, the remote user can access all of the applications that are available on
the host without installing the application. Third, performance for some
applications is increased with remote control. For example, consider a large
database query. This might require the transfer of 10 megabytes of data
across the phone line. Remote-control solutions would limit the data flow to
a screenful of data at a timea fraction of that figure.
All of these advantages cannot be without disadvantages. The most significant is that users must be connected to the remote-control host to access
applications and data. So a worker using remote control for eight hours a
day pays for a connection for the full eight-hour day. The modem and other
equipment at the hosting site are also reserved for that user. In addition,
performance is limited to the speed of the connection and the compression
www.sybex.com
Remote Access
319
Remote Node
It would be nice to allow remote users the same on-LAN service that they
have in the office, and remote-node technology allows exactly that.
Although remote-node technology is slower, remote users must connect as a
remote node only when transferring data. Under all other circumstances,
they can operate with the applications and data stored on their local workstation. This situation introduces support issues that did not exist with
remote-control and remote-gateway solutions, but it also makes the service
scalable.
Under remote control, a user would need to connect to the server for eight
hours a day to be productive. With a remote node connecting only for data
transfer, this time could be cut to perhaps less than 15 minutes per daylong
enough to transfer a few files and capture e-mail five or six times. In theory,
then, the single connection could support 32 users. To illustrate, consider
Table 9.1. Designers can make use of the fact that users are not concurrent
(a measure of simultaneous users) to oversubscribe the modem pool. As
shown, 32 users at 15 minutes can be serviced with four circuits, or 640 users
can be supported with 80 circuits at an oversubscription rate of 8:1, which
is still double the average concurrent usage figure.
TABLE 9.1
Duration
Circuits
Concurrent Usage
32
8 hours
32
32
32
15 minutes
640
15 minutes
80
40
www.sybex.com
320
Chapter 9
This clearly reduces the costs associated with remote access. Because the
LAN connection is slowthe workstation thinks that the modem is a LAN
adapterapplications and other static data should be stored locally.
Remote-node solutions are sometimes considered more secure than other
remote-access methods, and Cisco supports this position. However, once a
node connects, it is capable of running any software on the client workstation, including hacking tools and other applications that may not adhere to
corporate policy. Remote gateways, by serving a single function, and
remote-control hosts, by placing applications under administrative control,
may be more secure solutions.
Given the flexibility of remote-node solutions and the scalability afforded
by them, most designers in modern remote solutions will opt for this solution
first. If remote control is necessary, it can be combined with remote node by
simply attaching to the remote-control host over the network session established as a node. This hybrid solution can provide the bandwidth savings
sometimes available with remote control without making it the only connection method.
Remote Users
So far, this chapter has merely touched upon remote users and their needs.
However, it is important to expand upon their requirements. After all, the
entire reason to deploy remote access is to provide services to users.
Remote users typically fall into one of three general categories:
Telecommuters, frequent users who telecommute from a fixed location. This would include small office/home office (SOHO) users with
small LANs in their home.
Cisco recommends different hardware solutions for each of these categories; however, all are predicated on the deployment of remote-node solutions. Lets look at the various hardware solutions.
www.sybex.com
Remote Access
321
Low-Density Solutions
Cisco recommends the use of its 2509/2511 series routers for small user
pools. This solution would address the needs of eight to 16 users and use
external modems to provide a modem bank. Note that this solution is analog, which means that v.90/56k is not supported. This will limit users to 28.8
or 33.6Kbps.
Fixed-Location Solutions
Cisco positions its 760/770 ISDN router platform for the remote user operating from a fixed location. This solution incorporates ISDN, which may
significantly add to the access costs; however, it also provides greater bandwidth than a dial-up solution. As of this writing, it appears that Cisco is
departing from the 760/770 platform in favor of newer 800 series systems.
For actual deployments, designers should consult with their local Cisco
representative.
One of the benefits to an ISDN-based SOHO solution is the use of a single
line for voice and data. The installation may be configured to use both B
channels (ISDN BRI) for data-only transmissions. A voice call can use either
of the two channels, and this configuration will still provide data connectivity.
On the hosting side of ISDN connections, the designer has a number of
options. Multiple ISDN BRI circuits may be terminated to Ciscos 4000
series router. However, this solution would service only a few connections.
Deployment of the 4000 or 7000 series routers with ISDN PRI connections
could support a larger population of users. An alternative Cisco solution is
the 3600 platform; however, this platform was unavailable when the current
exam was developed.
Some recommendations in this book suggest using end-of-life or discontinued equipment. This is due to the age of the examination objectives and is
reflective of the current examination. Please consult Ciscos Web site for the
most recent information.
High-Density Solutions
Cisco also offers the AS5200, which may be used for termination of ISDN
and analog phone connections and can provide service for fixed-location
www.sybex.com
322
Chapter 9
users. This platform yields the greatest flexibility of these solutions. Both the
AS5100 (discontinued) and AS5200/AS5300/AS5800 products offer integrated modems, which may benefit administrators concerned with rack
space. Integrated solutions typically benefit from lower total costs as well.
High-density solutions may also benefit large pools of mobile users. The
smallest AS5200 configuration is typically 24 digital modems. Mobile user
pools would not be served well with the 4000 or 7000 platform.
Both the 4000/4000M and 7000/7010 models are classified end-of-life at this
writing. Please check the Cisco Web site for current information.
DSL technologies and cable modems are not included as an exam objective at
present. This section is provided only as optional material for those readers
interested in this technology.
www.sybex.com
323
fiber optics, which greatly extends the reach of xDSL. Figure 9.1 illustrates
a typical installation of DSL with and without an access product. As shown,
a home four miles away cannot obtain xDSL access without an access product. Please note that most xDSL technologies support distances between
1,800 and 18,000 feet.
As of this writing, vendors are deploying DSL at fairly low speeds and as
an Internet connectivity solution. Most vendors provide 1.544Mbps downstream bandwidth, as viewed from the central office side, and 128Kbps to
384Kbps upstream. These bandwidths greatly surpass ISDN and analog
offerings, but they cannot provide the multi-service goals of xDSLprimarily MPEG-2 video streaming. Table 9.2 shows the various xDSL technologies available.
FIGURE 9.1
xDSL installations
No DSL Service
Access Terminal
www.sybex.com
324
Chapter 9
TABLE 9.2
Characteristics
ADSL
HDSL
IDSL
SDSL
VDSL
Limited to distances less than 4,500 feet, VDSL can provide up to 52Mbps downstream bandwidth. This is usually the shortest range DSL service.
Most vendors are deploying xDSL from two perspectives. The first is the
traditional ISP-based installation, which simply substitutes ISDN or analog
dial-up for DSL. Because DSL is an always-on technology, there is no call
setup or teardown process, and the connection to the DSLAM, or Digital
Subscriber Line Access Multiplexer, is always active. The second connectivity model is RLAN, or Remote LAN. This model places the DSL connection
on par with Frame Relay or point-to-point links in the WAN; however, the
solution is being deployed for telecommuters as opposed to interoffice connections. Ultimately, designers may find that the consumer level of support
currently offered in DSL will be augmented and the lower price will encourage replacement of frame and lease-line installations for interoffice traffic
as well.
Both of these implementation methods can assist a modern network
design. However, some caveats should be considered.
www.sybex.com
325
At present, most DSL vendors offer a single PVC with DSL installations.
This limits connectivity options and makes redundancy difficult. A second
PVC could provide a link to another head-end (distribution layer aggregation point), and most vendors have multiple DSLAMs in the central office.
An SVC-based solution would also assist in designing fault-tolerance.
Another concern with current DSL installations is that most products do
not offer security solutions. The RLAN model greatly reduces this risk
because the links are isolated at Layer 2, but all connectivity must be provided by the head-end. This includes Internet connectivity. For Internet
connections to an ISP, the risk is significantly greater, especially when considering the bandwidth available for an attack and the use of static IP
addresses or address pools. A number of significant attacks have already
occurred as a result of these issues, and while they should not deter the use
of the technology, the risks should be addressed with firewall technology.
A third consideration in DSL is the installation delay compared to other
technologies. Vendors are moving towards splitterless hardware so that the
telephone company does not have to install a splitter in the home. The splitter divides the traditional phone signals from the data stream and provides
a jack for standard telephonesDSL transports data and voice over the
same twisted-pair wiring used for standard analog phone service. At present,
installations require weeks to complete in order to validate the circuit to the
home and install the splitter.
Cable Modems
It would be unfair to present the DSL technologies without providing some
space for cable modems. Cable modems operate over the same cable system
that provides television services using the same coax cable that is already
used in the home. Most installations will provide two cables, one for the television and one for the data converter, but the signaling and system are the
same. This is accomplished by allocating a television channel to data services. Bandwidth varies with the installation; however, 2Mbps in each direction is not uncommon.
Detractors of cable modem technology are quick to point out that these
installations are shared bandwidth, similar to Ethernet, which results in contention for the wire among neighbors. This design also introduces a security
risk in that network analysis is possible, although vendors are working to
address this concern. This issue does not exist in DSL, as the local loop connection to the home is switched. Traffic is not integrated until it reaches the
www.sybex.com
326
Chapter 9
central office, and the switch will only forward traffic destined for the end
station based on the MAC address. Cable modems are a shared technologysimilar to 802.2 Ethernet versus 10-Base-T. Along the same lines, a
cable modem is really a broadband Ethernet bridge.
Network designers may wish to consider cable modems as part of a VPN
deployment, as the technology will not lend itself to the RLAN-type (Remote
LAN-type) designs availed in DSL. Recall that an RLAN requires Layer 2
isolationa service not offered by cable modem providers at present. This
may change in the future if channels can be isolated to specific users. This
may be especially true in very remote rural areas, where cable is available
and DSL is not.
Summary
Remote gateway
Remote control
Remote node
www.sybex.com
Review Questions
327
Review Questions
1. A remote gateway:
A. Provides access to a single application or service
B. Provides access to a display-only connection
C. Places the remote workstation on a slower extension of the LAN
D. None of the above
2. Remote-control solutions:
A. Are very limited because they allow access to only one application
B. Are very limited because there must be a connection in order to
solutions
3. Deployment of remote node systems:
A. Is extremely costly and serves a single function, which impacts
scalability
B. Allows administrators to control all applications at a central
source
C. Requires the use of fixed locations for remote users
D. Provides an effective connection to the LAN, although it is usually
slower
4. The designer needs to provide 10 remote users with dial-in access.
www.sybex.com
328
Chapter 9
implementation
6. Which of the following is not true regarding X.25?
A. Provides high reliability
B. Provides high bandwidth
C. Cannot provide DCE functionality
D. Cannot provide DTE functionality
7. The X.25 protocol relates to which layer of the OSI model?
A. Application
B. Session
C. Data link
D. Network
8. True or false: A Cisco router cannot provide X.25 switching services.
A. True
B. False
9. Which of the following is not an encryption technology for tunnels
on ISDN?
A. L2F
B. CDP
C. PPTP
D. L2TP
www.sybex.com
Review Questions
329
technologies?
A. X.25
B. Frame Relay
C. ATM
D. Ethernet
14. True or false: MMP is an open standard.
A. True
B. False
www.sybex.com
330
Chapter 9
www.sybex.com
Review Questions
20. ISDN BRI provides how much B channel bandwidth for the user?
A. 64Kbps
B. 128Kbps
C. 144Kbps
D. 1.544Mbps
www.sybex.com
331
332
Chapter 9
www.sybex.com
Chapter
10
Designing for
Mainframe Connectivity
CISCO INTERNETWORK DESIGN EXAM
OBJECTIVES COVERED IN THIS CHAPTER:
Discuss the hierarchical and connection-oriented nature
of SNA.
Describe the use of gateways to attach Token Ring devices to
an SNA network.
Explain how LLC2 and SDLC sessions are established.
Describe reasons for integrating SNA technology with
internetworking technology.
Examine a clients requirements and recommend SNA
internetworking solutions.
Construct SNA designs that replace legacy communications
equipment with multiprotocol routers.
Build redundancy into SNA internetworks.
Design remote source-route bridged SNA internetworks in fulland partial-mesh configurations.
Choose the appropriate place to do priority queuing or custom
queuing for SNA.
www.sybex.com
Mainframe Overview
www.sybex.com
Mainframe Overview
FIGURE 10.1
335
Dumb Terminal
Dumb Terminal
Mainframe Host
Running VTAM
IBM 3745
Front-End Processor
Running NCP
IBM3174
Cluster Controller
Dumb Terminal
SNA divides each component in the network into one of three logical elements, called Network Addressable Units, or NAUs. These are:
These components interact with the data-flow control, transmission control, path control, and data-link control layers of the SNA protocol. Designers
must keep in mind that SNA was never designed to operate on the reliable
high-speed, variable-delay links found in modern networks. Rather, the protocol was designed for consistent, low-latency, low-delay connections, and
sessions can be lost with only the slightest variation. A recurrent theme in SNA
is the fact that longer, more complex paths through the network demand
greater attention to timers and latency than other protocols, such as IP.
The LUs are further divided into two subcategories. Primary LUs (PLUs)
are associated with host applications, while secondary LUs are associated
with the end user.
PUs are the actual devices used in communications. However, this component of SNA is responsible for communication with the SSCP as well as
the control and monitoring of the physical systems.
www.sybex.com
336
Chapter 10
The SSCP is part of the VTAM program on the host system. It is responsible for controlling all sessions with the mainframe. These sessions may be
divided into domains, creating logical groupings of devices.
SNA is generally considered a hierarchical networking technology. This is
more due to the control placed on the domain by the host than the physical
and logical design of the topology. The host computer, which is usually the
mainframe, groups PLUs and the various host systems. These systems are
usually referred to by their individual names, including CICS (Customer
Information Control System) and TSOwhich are both applications that
run in regions on the mainframe. VTAM and SSCP are found at a lower layer
of the hierarchyVTAM and SSCP map closer to an operating system than
to applications. One of the benefits of mainframe systems is the isolation
between different operations in the machine.
The physical layer of the mainframe is called the channel. This is typically
an ESCON (Enterprise System Connect) connection; however, bus and tag is
also used. ESCON connections operate at 17MBps (megabytes per second),
which is greater than Fast Ethernet in the non-mainframe environment.
While they are not as fast as the SuperHPPI (High Performance Parallel Interface, capable of 800 MBps) standard and other high-bandwidth technologies,
designers must keep in mind that ESCON connections are very efficient and
that mainframe data typically involves very small, 2-thousand-byte transfers. While large file transfers do occur, they usually use tape and other highcapacity media.
The FEP is a Type 4 node in SNA, contrasted with the Type 5 designation
given the host. This function is typically provided with a 3745 communication controller, which can connect to the network via a Token Ring adapter,
or TIC (Token Ring interface coupler). The Type 4 device connects to cluster controllers (devices that provide sessions to dumb terminals) or logical
units via SDLC or Token Ring. Ultimately, connections are established
between two logical units, which require connections to be established
between the SSCP-LU and SSCP-PU. The LU is a logical unit, whereas the PU
is a physical unit.
Over its evolution, mainframe access has changed substantially from the
dumb terminal (3270) and cluster controller days. Gateways once provided
the connections between PCs and the mainframe, allowing corporations to
remove the dumb terminals from the desktop. As this technology evolved,
companies began providing gateway services through Web browsers to
reduce the costs and maintenance associated with client installations. The
mainframe administrator would create a sysgen, or system generation
www.sybex.com
Mainframe Overview
337
macro. This defined the Token Ring gateway as a switched major node.
Depending on the configuration, the gateway could be configured as a PU
Type 2 device or as an LU.
In addition, software and hardware for the PC also allowed the elimination of the gatewaythe PC could directly connect to the host. While this
added administration tasks for the administrator, it also improved the performance of the 3270 connectionthe gateway and the necessary conversions were no longer a bottleneck. This solution was better suited for
advanced users with a demand for more complex services than the gateway
and thin-client approach. Many companies (who have not converted to TCP/
IP-based hosts) still provide gateway services, which are a suitable compromise for the majority of users, providing reasonable performance with simplified client administration.
As SNA evolved, numerous protocols have been developed to transport it
across modern networks. These technologies include SDLC tunneling (STUN,
or serial tunneling), remote source-route bridging, data-link switching, and
SDLC-to-LLC2 conversions. LLC2 stands for Logical Link Control, version 2,
and is a common framing transport. In addition, Cisco has announced a new
technologySNASw (Systems Network Architecture Switching Services).
This continuing development toward support for SNA is a likely indication
that the protocol will remain significant in the near term.
It is important to remember that SNA is not a routable protocol (OSI definition), even though the term SNA routing is scattered throughout this text and
the IBM documentation. Through the use of the Routing Information Field and
other techniques, the source station can control the bridged paths used by
Token Ring.
www.sybex.com
338
Chapter 10
Token Ring frames provide for a field to store the path information
removing the need for the bridges in the network to store this information.
Workstations (or other source devices) begin sessions by sending an explorer
packet into the network. This packet is flooded throughout the network, and
each bridge will append routing information to the RIF of the packet. The
first packet received by the destination will be returned with the populated
RIFproviding step-by-step instructions for future packets. This mechanism not only provides for routing in a bridged environment, but also can
provide limited load balancing because the first packet received likely took
the shortest path with the least delay.
One of the negatives of source-route bridging is the mechanism that populates the RIF. This is provided by the explorer packet, which is the flood
referred to in the previous paragraph. This packet is replicated to traverse
every ring in the network for each new connection between two stations. On
a large network, this may result in a substantial amount of multicast traffic,
and many designers rely on proxy services to populate the RIF without the
need to flood the network. Proxy explorer functions are provided on Cisco
routers and operate by remembering previous RIF informationthe first
connection to a station still floods, but all subsequent connections from that
ring can use the proxy information to provide the route.
The RIF is stored in the format ring-bridge-ring, where each ring and
bridge is assigned a unique number. These numbers can augment troubleshooting since the administrator can look at the RIF to help find the troublesome component.
It is important to note that Ethernet and other protocols do not support
the concept of a RIF. When transiting these topologies, the network will
either encapsulate the frame or rely on transparent bridging.
DLC tunneling (STUN) provides for the encapsulation of SNA traffic in three different configurations. The first is called serial direct, wherein
the serial ports on the router are directly connected to local controllers. The
controllers then connect to terminals. The other two configurations, HDLC
and TCP/IP, are considerably more advanced than serial direct.
HDLC (High-Level Data Link Control) encapsulation is used between
routers and offers the best performance for traffic over a serial connection.
www.sybex.com
339
Token Ring
Token Ring
Virtual Ring
www.sybex.com
340
Chapter 10
Characteristics
Local SRB
Direct
Frame Relay
IP FST
TCP
RSRB is not without limitations, and many new network designs will opt
to use the DLSw (Data Link Switching) option, given its superior handling.
DLSw is discussed in the following section. However, the long history of
RSRB certainly requires designers of modern mainframe networks to understand the protocolmany organizations have been slow to adopt newer
www.sybex.com
341
www.sybex.com
342
Chapter 10
Supports SNA traffic over TCP, which adds reliability to the transport
across WAN links.
Peer groups
www.sybex.com
343
It is very unlikely that the loopback interface will failunlike the physical interfaces. (Cisco defines the loopback as never failing, but sometimes an administrator will inadvertently delete the interface or remove its address.) Use of
the loopback can greatly enhance the reliability and supportability of the
router. The loopback notation in the previous output reflects the IP address of
the routers loopback interfaceLO0. This is administratively assigned, as
opposed to the traditional IP loopback of 127.0.0.1.
www.sybex.com
344
Chapter 10
The RIF provides a hop-by-hop path through the Layer 2 network. This path is
comprised of ring numbers and bridge numbers.
The SNA session will not recover automatically from a failure of the host
FEP. However, clients can reattach to the other FEP with a simple explorer
packet and reconnect. These types of installations work best if each FEP has
at least two TICs (Token Ring interface couplers) and two routers. Each TIC
is configured with a presence on each ring serviced by the routers. This configuration is illustrated in Figure 10.3. Ring 100 is shown in the thicker lines,
whereas ring 200 is shown with thinner lines. The connections to the mainframe are omitted for clarity. Note that routers are shown in the diagram,
but SNA is not routable and the frames are truly bridged.
Redundant SNA designs may also make use of dual backbone rings.
Under this design, the connections to the FEPs are available with partial ring
failures. Bridge failures are also addressed. This design is illustrated at a high
level in Figure 10.4.
FIGURE 10.3
Mainframe
FEP A
FEP B
Token Ring
100
Token Ring
200
www.sybex.com
FIGURE 10.4
345
User Ring
Backbone
Ring
User Ring
Backbone
Ring
User Ring
Many designers find that the time-sensitive nature of SNA is problematic when merging the protocol to interoperate with other protocols. This is
one of the reasons that local acknowledgement and encapsulation are beneficial to the designer.
www.sybex.com
346
Chapter 10
There are times and installations when the designer does not wish to use
these techniques to control SNA traffic. For these instances, the designer may
wish to employ queuing to provide a higher priority to SNA trafficreducing the delay experienced in the routers buffer. Both queuing types are best
suited for lower bandwidth serial connections.
Priority queuing is a process-switched solution to queuing. Four output
interface queues are established, and the processor removes frames from the
queue with the highest priority. The queues are named and sequenced as
high, medium, normal, and low.
This type of queuing is best suited to installations where SNA traffic is of
the greatest importance to the company, as other traffic will be discarded in
order to accommodate the higher priority queue. Should the designer find
that packets are consistently dropped, the solution would be to install more
bandwidth. The benefit may still remain, however. SNA traffic would, all
things being equal, have less latency than other protocols.
It is important to note that priority queuing is very CPU-intensive and
requires frames to be process-switched. This is the slowest switching method
available on the router. It is also possible that protocols in the lower priority
queues will not be serviced and the frames will be dropped.
Figure 10.5 illustrates priority queuing. Note that SNA traffic has been
given high priority and, as a result, sends all packets into the queue before IP
and IPX.
FIGURE 10.5
Priority queuing
SNA
SNA
SNA
IP
IP
IPX
IP
IP
SNA
SNA
SNA
IPX
Custom queuing is also available to prioritize SNA traffic and is processorintensive. However, it is less likely to completely block traffic from lower priority protocols. Rather than allocate all of the available bandwidth to a single
high-priority queue, custom queuing defines up to 16 output interface queues
that are accessed in sequence. The number of bytes permitted per sequence
provides the prioritization. For example, the administrator wishes to provide
roughly 75 percent of the circuit to SNA (RSRB) and the remainder to IP.
www.sybex.com
347
Under these objectives, the queue for SNA could be defined as 4,500 bytes,
while 1,500 are allocated to IP. Individual installations and experience will
help to develop the final parameters, but the installation makes certain that
SNA receives service, as a function of bandwidth, 75 percent of the time.
Figure 10.6 demonstrates custom queuing. Note that SNA has been allocated 50 percent of the queue priority, while IP and IPX each have 25 percent
of the queue. As a result, the last SNA packet must wait until the IP and IPX
packets in the queue have been processed. Note that the right side of Figure 10.6 is read from right to leftthe rightmost side shows the first packet
exiting the router. Assuming full queues, this results in an SNA packet, an
SNA packet, an IP packet, and an IPX packet, given the percentages above.
This process will continue so long as all queues are filled.
FIGURE 10.6
Custom queuing
SNA
SNA
SNA
IP
IP
IP
SNA
IPX
IP
SNA
SNA
IPX
Designers are apt to place queuing at the access layer of the network. This
placement typically results in the least performance degradation and is consistent with the hierarchical model. However, in practice, queuing is configured when and where it makes the most sense to do soperhaps ahead of a
slow serial link or at an aggregation point. Because queuing is not a zero-sum
gain, i.e., there is a significant cost associated with it, most designers and
administers avoid using either type of queue unless there is a specific reason
to do so.
It is also noteworthy that priority queuing should be regarded as a lastresort option and that queuing impacts only outbound traffic. High volumes
of high-priority traffic in priority queuing will block all other trafficit is
better to use custom queuing so that all traffic is serviced.
www.sybex.com
348
Chapter 10
APPN Concepts
Service
Function
CP
NN
EN
www.sybex.com
TABLE 10.2
349
Function
LEN
CNN
The Composite Network Node (CNN) defines APPN functionality in VTAM. A combined NCP and CNN can operate as
an NN.
SNASw
For years, application developers and network designers used advanced
peer-to-peer networking (APPN) to link mainframe resources and other
devices in the network. These solutions worked reasonably well, but they
were generally difficult to configure and troubleshoot. Cisco recently
announced SNASw, or Systems Network Architecture Switching Services. It
transports SNA packets across IP networks and promises to simplify many
of the negative aspects of APPN. Cisco also views SNASw as a possible
migration path toward complete IP connectivity on the mainframe. SNASw
was developed in concert with IBM.
www.sybex.com
350
Chapter 10
One of the critical features in IP-based mainframe connectivity is redundancy. One option in this vein is VIPA, or virtual IP addressing. In a VIPA
installation, a subnet is created within the host itself, and two distinct subnets are attached to the virtual subnettypically via the Cisco Channel
Interface Processor (CIP) and ESCON connections, which greatly improve
the performance of the connection between the routed network and the
mainframe. However, there are other options. VIPA provides for router, CIP,
ESCON interface, and ESCON connection failures, as the virtual subnet is
available via the alternative path. Note that the alternative path is not used
just for backupVIPA can facilitate load balancing as well.
Designers should plan for these implementations with care, noting that the
mainframe IP stack typically does not support advanced or proprietary routing protocols. Therefore, it is likely that static routes or RIP redistribution
will be necessary on the router.
The router may also front-end TN3270 connections to the mainframe. This
removes some of the processing overhead required for terminal access.
Summary
his chapter addressed many of the issues that involve mainframe connectivity in modern network design. These issues included an overview of the
encapsulation methods available for SNA traffic and the frequent need for
redundancy in these installations.
This chapter also addressed the common design criteria and options associated with mainframe installations and the SNA protocol, including:
RSRB
DLSw
APPN
Redundancy
Queuing
Due to both the history of RSRB and its foundation in the other protocols,
designers are encouraged to make certain that they feel comfortable with
RSRB from a practical perspective as well as an exam perspective. Even in
organizations that have migrated to newer protocols, the concepts embedded in RSRB offer a strong foundation for the designer and administrator.
Copyright 2000 SYBEX , Inc., Alameda, CA
www.sybex.com
Review Questions
351
Review Questions
1. The designer is concerned about reliability and is interested in local
the queue.
C. Compression, required on priority queues, will consume too much
processor.
D. The fast switching table will be corrupted.
www.sybex.com
352
Chapter 10
are cautioned:
A. Against using dual FEPs
B. Against using SNA
C. Against leaving explorer packet forwarding at its defaults
D. Against leaving the LU forwarding metric at its defaults
6. All packets in priority queuing are:
A. Fast switched
B. Process switched
C. Switched via NetFlow on T1 or greater links
D. Distributed switched on VIP-2 40 modules
7. DLSw+ peer groups provide which of the following benefits?
A. Any-to-any connectivity
B. Easier configuration
C. Optimized explorer packet processing
D. All of the above
8. Peer group DLSw configurations provide for:
A. Unequal-cost load balancing
B. Equal-cost load balancing
C. Per-packet forwarding
D. Per-packet forwarding over unequal-cost paths
www.sybex.com
Review Questions
353
benefits?
A. Prevention of application timeouts
B. Packet conversion
C. Compression
D. Encryption
10. An LAA is:
A. An SNA DLSw address
B. A locally administered IP address
C. A locally administered MAC address
D. Stored on the TIC only
11. True or false: Dual FEPs can use the same LAA.
A. True
B. False
12. True or false: The odds of packet loss are greater for lower priority
www.sybex.com
354
Chapter 10
encapsulations?
A. STUN
B. RSRB
C. DLSw
D. All of the above
15. Which of the following techniques may be used to provide redundancy
in mainframe installations?
A. Dual front-end processors
B. Dual backbone rings
C. Dual Token Ring interface cards
D. All of the above
16. SSCP is part of which of the following?
A. TIC
B. FEP
C. VTAM
D. PU
17. APPN provides which function?
A. End station-to-end station connectivity, sans host
B. SNA routing
C. SNA encapsulation
D. A and B
E. A and C
www.sybex.com
Review Questions
355
www.sybex.com
356
Chapter 10
www.sybex.com
Chapter
11
Designing Secure
Networks
CISCO INTERNETWORK DESIGN EXAM
OBJECTIVES COVERED IN THIS CHAPTER:
Examine a clients security requirements and recommend
firewalls and gateways.
Design a firewall system using packet-filtered routers and
bastion hosts.
Choose protocols to be filtered on routers in the firewall.
www.sybex.com
s touched upon in Chapter 1, security is a component of network design that overshadows every other facet of the network. Thus, it is
imperative to consider data security from the onset of any design. While it is
possible to add security to a strong network design, this tactic typically
incorporates compromises. These compromises start with the security model
itself and ultimately lead to significant changes in the overall network design.
Since every network is different, it is up to each designer to evaluate the
security needs of their own networks. Also important to consider are the networks interrelationships with other components, including routing protocols, operating systems, and physical security. Physical security is as
important as the logical components designers typically considerthe best
access list is void if the hacker can physically access the router, for example.
Primarily, this chapter focuses on the generic, conceptual level of network
security. Dont make the mistake of considering this chapter a comprehensive dissertation on the subject. It would be easy to compose a complete text
on network security, and many authors have. Yet for the exam, this presentation provides sufficient information and yields some additional elements to
help apply this material in a production network. For example, one specific
area that warrants more treatment than is required for the CID exam is
interoperability between firewalls and Cisco routers. Readers may wish to
explore the issues surrounding this topic and consider how it applies to the
Cisco-centric view. For instance, most firewalls do not support EIGRP. This
automatically results in a requirement to use static routes or a redistribution
of EIGRP into a more universally supported routing protocoltypically RIP
or OSPF. This fact could significantly alter a security design.
www.sybex.com
359
The majority of this text addresses the concept of TCP/IP security, which clearly
does not present a complete security solution. However, many of the ideas presented herein are applicable to the broader demands of data protection.
Some attacks may use a combination of internal and external means to gain
access to data. For example, a fired employee may use his internal knowledge
of the network to gain access via an outside connection. According to security
experts, most attacks involve at least some inside information or access.
Corporations must realize that data security is an interesting legal problem. Many countries have not developed adequate regulations to make hacking a crime. Unfortunately, this results in little recourse when an attack is
successful. While the legal system is catching up to the incredible pace of
change, it is preferable to prevent as many attacks as possible and to capture
as much information as possible.
This text uses hacking in a generic context to encompass all types of unauthorized entry into computer systems, including phreaking (phone hacking)
and cracking.
www.sybex.com
360
Chapter 11
All security models must start with a policya statement of what will
and will not be permitted within the network. The best way to approach this
is with a security document that clearly spells out the terms of the policy.
This may be very detailed, spelling out each and every element of the policy,
or it may be intentionally vague, simply framing the general authorizations.
Unfortunately, few organizations actually take the time to compose such a
document, and when it is written, it remains fairly staticmeaning that it
outlines a historical policy, rather than one that keeps up with the everchanging landscape.
As if the lack of documentation wasnt discouraging enough, many architects and managers find that the senior business management will not sign
even the most basic of security documents. This typically results from fear
either a lack of understanding or the desire to not take responsibility should
the network be compromised. This places any and all technical solutions at
grave risk.
When the business has not predefined the expectations of the security
solution, it cannot succeed. In addition, each time a specific business desires
to add new services, there will need to be a new evaluation of the request and
riska time-consuming and politically charged proposition.
Rather than dwell on the importance of good company politics in security
designs, this section addresses other single points in perimeter protection,
including:
Firewalls
Access lists
www.sybex.com
361
Internal Network
Internet
Cisco Router with
Access List
Cisco PIX
While the perimeter devices shown in Figure 11.1 include only a router
and a firewall, production installations generally include some or all of the
following:
Firewalls
Isolation LANs
Proxy servers
Middleware servers
Load balancers
www.sybex.com
362
Chapter 11
FIGURE 11.2
Internet
ISP A
ISP B
Load Balancer/
Redirector
Load Balancer/
Redirector
DMZ
DMZ
Web Servers
Web Servers
Database Server
Windows Client
Internal
Network
Database Server
Database Server
File Server
In their purest sense, DMZs do not have implied trust for any organizationall resources are suspect. A bastion host would be found in the DMZ.
You may note that Figure 11.2 includes redirectors and redistribution
resources, devices that help scale the Web server farm to support millions of
connections. Most designers today must consider the inclusion of these
resources in their designs, although this information is beyond the scope of
the exam. Redirectors serve a single uniform resource locator (URL) and
redirect users to one of many servers. This provides a simple load-balancing
mechanism.
www.sybex.com
363
It may not be readily apparent, but the security offered by the network in Figure 11.2 is poor at best. The illustration is not intended to show a good design,
but rather one that uses various components.
www.sybex.com
364
Chapter 11
Strong monitoring and logging features The best firewall solutions are
worthless if the administrator is not warned of an attack or breach. This
part of the security policy may directly relate to the cost of the solution,
though not necessarily. Available to the administrator are several affordable options, which may consist of little more than syslog (system log)
output. More expensive solutions typically provide filtering and other features to reduce the volume of messages requiring the administrators
attention.
It may be appropriate to hire a dedicated specialist to address your firms
security needs. This person may be an employee reassigned from another
position, a new hire, or a consultant. Consultants may yield the cheapest
deployment given their experience with different organizations and equipment. If you hire a consultant, make sure that they warrant the trust that
your firm will be placing in them and that everything they do is documented.
It is always a good idea to conduct a thorough background review, as well
as to check references. Non-disclosure agreements are also helpful, though it
may be difficult to provide sufficient legal proof of breach for this to fully
protect the organization.
Always have a second person trained on the security systems and technology.
People leave jobs and fall illeither way, there will be a lack of support.
www.sybex.com
365
Logs should always be written to a secure server other than to the firewall
itself. Once the firewall is compromised, a hacker can easily purge the log
files, which are the best form of documentation for criminal prosecution.
Honey Pots
Remember Winnie-the-Pooh? He was a stuffed bear that came to life and,
like most bears, loved honey. One of many themes in the Pooh stories was
Winnie getting stuck because of his love of honey; one tale had his arm
trapped in a honey pot, a vessel with a small opening used for storing honey.
Well, in the network security arena, honey pots build upon this very idea:
Attackers want the honey, and they may get trapped if they try to obtain it.
Basically, the honey pot is a special fictional system designed to appear
like the corporate data being soughtand designed to be hacked. Once an
attack is detected by the firewall, the system redirects the session to the fictional data and invokes additional logging to capture information regarding
the attack and the hacker.
This recent trend in data security provides two benefits. First, the hacker
thinks hes successful when in fact the live data is still protected. Second,
detailed information regarding the attack hacker is obtained for authorities.
This information may include:
www.sybex.com
366
Chapter 11
www.sybex.com
367
The CEO support attack is a work of wonder. As with the fake circuit attack,
it operates on the premise that most people want to be helpful. The attacker
selects a victim and calls the secretary of the CEO or other executive who
likely has a high level of access to the company systems. The cover story is
that the CEO reported a problem with an application on their machine, and
the attacker, posing as a member of technical support, wishes to test the
modifications on the server to make sure the problem was resolved correctly. Once given the password, the hacker can then use another access
method, perhaps a dial-in line, to gain access to the companys information.
This attack works best if the attacker appears to be calling from an internal
number. However, it works in many cases because the secretary wants to
help and the administrator could always get to the files anywaythe presumption being that server administrators can access all files on the server,
regardless of ownership or rights.
You may be asking what good a system password is if the hacker does not
have access to the system. Good point. Ask yourself what happens if the
remote access system uses the bindery/NDS or NT directory for authenticationthe attacker gets in through the same system designed to prevent
such an attack. Again, even the best firewalls will fail to flag this type of scenario, and ultimately some data may be compromised.
Most corporations have very detailed security plans that are signed by
every employee under threats of termination and prosecution for violators.
Unfortunately, more often than not, these documents are unenforced. Note
that these documents are different from a security policy statement.
www.sybex.com
368
Chapter 11
Viruses
Theft of data
Abuse of data/access
www.sybex.com
369
sales file). However, this solution does not offer a prevention phasea
chance to prevent the problem from occurring. The network designer may
choose a firewall/proxy product that incorporates virus scanning of all files
that are accessed from the Internet, yet this solution will fail to address all
virus infectionsa floppy brought in by an employee could quickly circumvent all detection efforts at the firewall.
www.sybex.com
370
Chapter 11
Second, many of the techniques used in this case study were published
and/or patched mere days before the attack. While such monitoring is
impractical, a technician constantly monitoring the various hacking Web
sites may discover a technique to defeat the attack in time to implement a
solution. Many companies rely on their vendors to perform this task,
though restrictive permissions on the server and firewall can greatly diminish the number of techniques that can be used. To provide the best security
for the corporation, security technicians and designers must become hackers themselvessimilar to the way law enforcement officers profile criminalsalthough this activity must be balanced with the other tasks required
by the organization.
A colleague at Cisco likes to cite the quote The question isnt if youre paranoid. The question is, Are you paranoid enough? Well-placed paranoia
can be a very useful tool so long as it does not result in paralysis.
Firewalls
Firewalls have been regarded as the sole critical protection from the evils of
the Internet. While firewalls are helpful, this position is inaccurate. Firewalls
do not provide complete protection from external threats. They offer a single
point of attack, and, according to the latest surveys (1998), most attacks
avoid the firewall as a contention point altogether. These attacks may be
accomplished via dial-up, social engineering, or backdoor tactics, but the net
result is the same.
In addition, most firewalls are deployed without concern to internal
threats. Designers should always consider the possibility of internally
www.sybex.com
371
sourced attacks, including those that exploit internal systems from the outsidean attack scenario that starts with an external host compromising an
internal, trusted host and then using that trusted host to attack another internal resource.
The best firewalls offer the designer solid security options with easy
administration and configuration. Application-level firewalls go far beyond
the basic protocol-based selection process available from a router. For example, many firewalls can block Java applets within HTTP streamsthe router
could only permit or deny HTTP. A router cannot block Java or ActiveX
applets, nor can it provide virus-scanning functions. Many firewalls can provide these services.
Cisco has introduced the IOS Firewall Feature Set, which adds some firewall
functionality to the basic port filtering available in access lists. Designers will
have to evaluate the appropriateness of this solution against other systems,
including Gauntlet, Sidewinder, the Cisco PIX, and Checkpoint.
Use static routes. This protects against route spoofing, where the
attacker redirects data to resources they control. Route spoofing is one
of the top techniques used by internal hackers.
Disable Telnet access to the router and use a locally attached console.
If this is not practical, use an access list to permit a handful of
addresses to the VTY interfaces, and then allow only data flowing into
the internal interface from an authorized source.
www.sybex.com
372
Chapter 11
Disable small servers on the router. Cisco considers a number of services to be part of the small servers keyword, including the echo and
finger services.
Block Telnet access to internal resources from external hosts and the
firewall. Blocking firewall-sourced Telnet sessions requires placing a
router inside the firewall; once compromised, the firewall can no
longer be trusted to provide this protection.
www.sybex.com
373
Needless to say, the access list rules were disabled within three months,
and we were unfiltered to the Internet. We caught the problem as part of a
weekly, manually initiated audit processthe syslog feature on the router
was unreliable. (Note that this was not a Cisco router, although the same
problems could exist on a Cisco-based platform.) The router was compromised because it was protected from SNMP attacks only by a simple, unencrypted password (clear-text) and an IP address restriction. Further, while
the ISP never admitted that it had been hacked, there is little doubt that
someone (either inside or outside the ISP) compromised the machine (or
spoofed the IP address) that was given access and used it to attack us.
The immediate response to this attack was to disable the SNMP mechanism
and re-enable the filters. A full audit of all systems did not detect any further
compromises.
Designers should take a few lessons away from this story. First, dont trust
an ISP or any outside source to be secure. This is very hard to implement in
practiceI worked on one network where the ISP was the maintainer of the
firewall, and the IS staff was completely blocked from any involvement.
This is a very poor practice, though many companies lack the internal staff
resources necessary to properly maintain a firewall. In my opinion, when
this function gets outsourced, the mindset shifts to one of blame distribution rather than security, which is never good.
The second lesson is to always push for another solution. I didnt do this
once management had made their decision, though I knew that SNMP was
not secure (since version 2 uses clear-text passwords), and neither was a
single-firewall router design. Unfortunately, I was unsuccessful in getting
the budget for an internal firewall or the proper resources to manage and
monitor the router.
www.sybex.com
374
Chapter 11
Source 2
The PIX also supports PAT, or Port Address Translation (see Figure 11.4).
This feature is interesting in that a single IP address on the firewall can service
all of the external connections, yielding a significant savings in total IP address
allocations. PAT works by assigning each session a unique port number that
www.sybex.com
375
maps to the IP address on the internal interface. Note that Figure 11.4 differs
from 11.3 in that only the TCP port number is changedthe same IP address
is used on the external interface. This duplication conserves addresses on the
public network.
FIGURE 11.4
PIX External IP
Address 204.4.117.1
Source 2
Destination 2
192.168.2.20, 5120 translates to
204.4.117.1, 1035 and connects to Destination 2.
Destination 2 believes it is speaking only
to 204.4.117.1, 1035it is completely
unaware of the PAT process.
It is important to consider the types of traffic that will traverse a device providing PAT and NAT services. FTP, HTTP, and Telnet all operate well in this
configuration; however, NetBIOS-based services, including Windows naming
services, will not function properly. It is likely that this problem will be
addressed as corporations migrate to Active Directory and Windows 2000.
As noted previously, the PIX also provides for failure of the firewall in
redundant configurations. This is accomplished with an interconnect cable
and is somewhat limited in that both PIX boxes must be in close proximity.
Thus, this solution addresses hardware and most software failures, yet it
provides no protection from site and facilities failures.
www.sybex.com
376
Chapter 11
Caching
While bandwidth is becoming cheaper and more widely available, there are
still many benefits to caching. When data is cached, the data elements are
copied and provided from sources closer to the requestor. The cache is the
collection of data elements that are provided.
Consider a Web page with three large graphics. It takes 10 seconds to
download those graphics across the Internet with a T1. If a company cached
Web traffic, the first employee would take 10 seconds to load the page, but
each subsequent employee would receive it in a fraction of that timeperhaps a single second. The cache serves the data from a local resource, rather
than requiring another transfer from a remote location. This results in more
efficient use of the T1, the Internet, and the Web server, while providing the
user a better response time.
Internet Service Providers have begun to place caches in their networks to
further accelerate the distribution of data. This method again improves performance and yields a cheaper solution. Consider caches as you would commuting options. Adding lanes for more cars is significantly less efficient than
using a train, bus, or ferry. While there are times when bigger pipes are
required, it is best to evaluate the actual need. There are also instances where
its best to take another tackpersonally, I look at adding extra lanes for
cars like I do combating obesity by getting larger pants. The same is true in
networkingmore bandwidth will not decrease the performance bottleneck
caused by large, uncompressed graphics.
From a security perspective, caching can be problematic, although this
problem is diminishing as the technology advances. The original issue was
that pages viewed were stored on the caching server and could be viewed
without authentication. As more sites employ Secure Hypertext Transfer
Protocol (HTTPS) and non-caching flags, this problem should subside.
Administrators can reduce this risk by securing the caching server as they
would any other corporate resource.
Access Lists
An access list provides the ability to block or permit traffic based on address,
port number, and/or the concept of established communications. There is no
awareness of upper-layer protocols, and thus protection against applicationlayer attacks is not available. A significant number of companies continue to
use router access lists as the sole means of securing their networks. Yet, while
www.sybex.com
377
such lists certainly belong in most security deployments, the access list itself
is fairly limited.
One of the misunderstood components in an access list is the established
keywordthere is no bona fide established bit or validation of sequence
numbers. Rather, the established keyword requires packets to have the ACK
(acknowledgment) bit set. The acknowledgment bit is set on the second
packet in the TCP three-way handshake that starts all sessions, as well as on
all subsequent packets. The router presumes that any inbound packet with
an ACK bit is in response to a datagram sent by the trusted station. One
denial-of-service (DOS) attack made use of this characteristicthe SYNACK flood operated by sending a large number of packets to the target with
both the SYN and ACK bits set. Most systems would overflow their buffers
in servicing the traffic.
The established keyword is used in a different context on the PIX firewall and
should not be confused with the description in this section.
The FIN (finished) bit will also pass the established filter.
www.sybex.com
378
Chapter 11
There is little doubt that administrators will use time-based access lists.
However, to do so without fully incorporating the feature with a security
policy would be irresponsible.
Reflexive access lists go beyond the traditional permit all established
access lists by incorporating reflexive technology. A reflexive list permits
traffic only in response to a prior eventan originating packet from the
internal network, for example.
Perhaps the best way to understand the operation of a reflexive access list
is to consider the configuration used, which is shown in the following output:
interface hssi 3/0
description Interface to Inet
ip access-group in-filter in
ip access-group out-filter out
ip reflexive-list timeout 120
ip access-list extended in-filter
permit tcp any 10.11.2.0 0.0.0.255 reflect allowed
(Note the implicit deny)
ip address-list extended out-filter
deny icmp any any
deny udp any any
evaluate allowed
In this example, the serial 0 interface is configured with inbound- and
outbound-named access lists. The outbound filter denies ICMP and UDP
traffic and then references the reflexive tcp traffic filtera filter that permits
the return of any TCP traffic that originates inside the network. This is similar
to the established bit, but the advantage is that this permission exists only for
120 seconds or for the duration of the TCP sessiona significant reduction
in the amount of time a hacker might have to exploit the permission. Note
that the default timeout value is 300 seconds, which applies to lost TCP sessions and connectionless UDP sessions. Reflexive access lists work with UDP
traffic; however, the termination of the reflexive access list permission is
based only on the timer.
www.sybex.com
379
Encryption
The concept of encryption is best exemplified by the childhood code games
that most pre-teens play. These games send secret messages composed of offsetsfor example, each letter may be three characters removed from the
actual letter. Thus, the letter D might represent the letter A, and the letter Z
would be represented with the letter C.
Obviously, such a simple code would be fairly easy to crack. In wartime,
such codes incorporated garbage characters, floating offsets, and other techniques to provide additional protection. By World War II, these ciphers had
become quite advanced and made use of simple computers that added additional randomness to the sequence. A famous Allied victory incorporated the
cracking of a German codea victory made possible only because a German
officer transmitted the same message twice. By dissecting the pattern, the
Americans and the British were able to build their own computer for decoding the secret messages.
With todays computational power, the ability to encode and decode data
streams is fairly simple, and a wide variety of methods may be employed.
The majority of these methods incorporate the concept of a key, or password, and the number of bits used for the key directly relates to the potential
security afforded by the encryption. A key is the base code used to calculate
the encryption code. For example, the formula for my encryption code might
be to add two and subtract one, but if I allow the user to define the initial
number, the result should be different from those of other users (clearly this
is a very simple example).
Recently, the United States government took steps to authorize the export
of higher-security encryption keys to 128 bits. Prior to this time, export keys
were restricted to 56 bits, and munitions laws governed the use of higher
encryption key values.
This text does not address specific technologies for encryption given the everchanging landscape of the encryption marketplace. However, it is clear that a
standard will emerge and that at least 128-bit keys will be required to provide
the required level of protection.
www.sybex.com
380
Chapter 11
a technique could thwart hackers even if they knew the data was present.
This concept carries over to existing encryption challenges as well.
Risk
Private fiber-optic
Being difficult to tap and monitor given the characteristics of glass, encryption may not be warranted for this media.
Public fiber-optic
www.sybex.com
TABLE 11.1
381
Security Risks of Private and Public Fiber-Optic and Copper Links (continued)
Link
Risk
Private copper
Public copper
The risks are the same as for public fiber; however, the tap point now includes the local loop.
Table 11.1 is based on the electrical characteristics of the media. Electrical signals carried on copper cables can be monitored from an external detector,
whereas fiber prevents such eavesdropping. Fiber connections can be tapped
with an optical splitter, though this requires disrupting the circuit.
Host Security
The majority of host-based security solutions employ the basic tenet of physical isolation. Typically, this places the server in a locked room with limited
access.
Unfortunately, many companies augment this security model only with
simple passwords and dont use the network devicesprimarily routersto
enhance the security model. This leads to two interesting schools of thought
regarding whether the network is a security device. (Ignore firewalls and
other applications on the network that provide security; were focusing only
on the infrastructure in the network, including switches, routers, and hubs.)
One school claims that the network is not a security device. Proponents of
this view argue that the network is for the transport of packets and that security is the responsibility of the end station. Conversely, the other school contends that the network is a security device and that routers are to be used as
instruments of that policy.
In practice, the real answer to this question generally requires a hybrid of
these two schools. This is where most host security models failthe ideal is
to have the host and network work together to provide the most secure solution, but many companies enter into security focused solely on the network
www.sybex.com
382
Chapter 11
and firewalls. From a security perspective, using simple access lists and
strong passwords along with giving much consideration to performance will
likely yield the best solution.
Of course, one of the risks in data security is developing a solution that
impedes productivity. A perfect example of this in the workstation world is
the analog modem. Many companies approve the installation of a measured
business phone line, not realizing that the employee can use it with remotecontrol software. The user unintentionally thwarts the security policy by
installing a program that can provide a connection via the phone line. Once
the attacker controls the machine connected to both the modem and the
LAN, they can access corporate resources on the network. This circumvents
any protections installed by the network designer or administrator.
www.sybex.com
383
www.sybex.com
384
Chapter 11
}
cmd=show {
#permit show commands
permit .*
}
}
user=tlammle {
# Todd Lammle
member=operator_plus
login=cleartext flatshoe
}
group=operator_plus {
name="Network Operator Plus"
cmd=debug {
permit .*
}
cmd=write {
permit terminal
}
cmd=clear {
permit .*
}
#permit show commands
cmd=show {
permit .*
}
cmd=configure {
permit terminal
}
cmd=interface {
permit .*
}
cmd=shutdown {
permit .*
www.sybex.com
385
}
cmd=no {
permit shutdown
}
}
Numerous texts provide the details of these protocols and the features,
including port numbers and encryption, available to the designer. Yet at this
point, designers should be concerned only with the availability of both protocols and the knowledge that both freeware and licensed versions exist.
Cisco offers their CiscoSecure product as one possible solution, and each
product (including freeware, alternative vendors, and Cisco) has advantages
and disadvantages. The benefit of each is that a single system can provide
access control for all network devices, and the password information is not
stored on the network components themselves. This design provides a slight
degree of added security for the architect and greatly simplifies ongoing
administration.
Accounting
It is beyond the scope of this book to address all of the components necessary
for designing a secure network, even if the scope is limited to the network
systems themselves. Various controls on the workstation, server, databases,
and other systems are all required to make a system more secure.
However, all security solutions require the presence of an accounting
function. This may be part of a TACACS+ or RADIUS solution, or it may
appear in the form of log files and audit trails.
The general security guidelines for accounting must include at least two
componentssufficient information to reconstruct the events during the
period and, ideally, a method for quickly parsing out significant events. It is
extremely inefficient for administrators to manually examine the log files
looking for problems. This is one of the areas in which firewalls are strong
the good ones provide real-time alerts of suspicious activity and highlight
and summarize general activity.
Accounting also has a benefit outside of the security arena. Designers may
be asked to look at accounting to provide charge-back mechanisms and
other revenue-generating services. In fact, it is likely that vendors will
migrate to usage-based billing for Internet connections before 2005a move
that may yield greater revenue than the current flat-rate contracts.
www.sybex.com
386
Chapter 11
www.sybex.com
387
However, the landscape is changing very quickly, and readers are advised
to examine vendor materials and standards documents before selecting a
technology. Note that at present, though IPSec appears to be the likely VPN
solution, Cisco strongly supports L2TP or a combination of L2TP and IPSec,
which can provide most services except NAT. Microsofts Windows 2000
product will also support these specifications. It is important to note that
IPSec supports only IP and was initially designed to provide only encryption,
authentication, and key-management services.
One challenge with most of these connection technologies is key distribution. For example, a remote user wishes to activate the VPN client on his
home computer and connect to the corporate VPN server. This requires a
key on the client that authenticates to the server. How does that key get
transmitted securely? To answer this question, designers looking at VPN
technologies need to ask a few preliminary questions, including:
Is administration of the authentication database insourced or outsourced? (Many companies are looking to outsourcing even with the
security risks.)
Once the designer obtains answers to these questions, they can use the
information to compare and select vendors and applications. For example,
key management is a critical issue that may be best handled via outsourcing.
However, it also requires trusting another party to control securitya direct
security risk that most companies are unwilling to accept. Many companies
manage their own keys on a certificate server maintained by the vendor, but
this option is not universally available. As a result, the security requirements
will need to match the services offered by the vendor, or another vendor will
be required.
www.sybex.com
388
Chapter 11
Summary
www.sybex.com
Review Questions
Review Questions
1. A firewall is aware of packets beyond which Layer?
A. 3
B. 4
C. 5
D. 6
E. 7
2. A router acting as a firewall should:
A. Deny Telnet on all interfaces
B. Deny Telnet destined for the router itself on all interfaces and
three categories?
A. Corruption, theft, and abuse of data
B. TCP, UDP, and ICMP
C. Audit, cracking, and phreaking
D. Denial of service, SYN-ACK, and IP spoofing
4. Which of the following access methods operates with VPN
technologies?
A. ISDN
B. Frame Relay
C. Dial-up (POTS)
D. Cable modems
E. All of the above
www.sybex.com
389
390
Chapter 11
www.sybex.com
Review Questions
391
www.sybex.com
392
Chapter 11
access?
A. Authentication
B. Authorization
C. Accounting
D. None of the above
www.sybex.com
Review Questions
393
firewall.
D. A non-unique IP address is used for each session traversing the
security policy?
A. Telnet is permitted to the firewall from external hosts.
B. Telnet is permitted to internal hosts from external hosts.
C. Telnet is not permitted from the firewall to internal hosts.
D. Telnet is not permitted from internal hosts to external hosts.
www.sybex.com
394
Chapter 11
www.sybex.com
Chapter
12
www.sybex.com
www.sybex.com
397
Obviously, Cisco wrote their objectives in the context of the Internetworking course materials, and the applicability of a review is questionable in
www.sybex.com
398
Chapter 12
a static text. In the Cisco materials, the summary of the course typically
receives a quick gloss-over and provides the instructor with the opportunity
to address a running list of issues that have been identified during instruction.
When this book is used as a training aid in a classroom setting, I recommend
that you spend some time now to review the materials covered in the course.
In a static setting, such as when you are working by yourself, it would be
opportune to flip through and look over any highlighting or other marks. It
would be difficult to repeat all the material that might be needed at this
phase. However, following is a list of those areas that are significant because
they are either difficult or important. Do not view this list as comprehensive
for passing the examit is not intended to be and it is not constructed based
on the live exams. Simply use this list as a foundation for asking yourself if
you understood this material.
www.sybex.com
399
www.sybex.com
400
Chapter 12
www.sybex.com
FIGURE 12.1
401
Though Cisco expects this flow for the exam, many experienced designers
would take some issue with the order used and the omissions, including
vendor evaluations, pricing, and user testing, for example. However, this
flow does incorporate some very positive elements. For example, the use of
a review and continuous process is frequently omitted from most projects
everyone completes the first project and moves to the second. Remember,
there are four phases to a project or, at least, a well-run project:
Conception
Provision
Implementation
Review
It would be easier to remember the order of these steps if all four ended
in tion, yet perhaps its easier to remember because the steps dont exactly
www.sybex.com
402
Chapter 12
flow together. Another memory aid is to skip the implementation step and
think CPR. Many projects require first aid soon after implementation
because the review step was dismissed.
The CID model illustrated in Figure 12.1 accomplishes a number of
things. The key points to remember are:
Document the budget and resources available for this project and
establish a time line. Gantt charts, which show the relationships
between each task over time and per resource, are very helpful in
this phase. All participants in the project should be able to identify
the dependencies with other efforts and tasks.
www.sybex.com
403
Identify the requirements for fault management, accounting management, configuration management, performance management,
and security management. It may also be appropriate to consider
change management at this phase. This is an area where many
companies falter. Placing a circuit in the network is relatively easy,
but failure to consider the support of that circuit can harm even
the best design.
Document the projected number of users who will use the new
applications and protocols. This is a key component of scalability
and capacity planning.
www.sybex.com
404
Chapter 12
Identify the peak hours of usage of new applications. This information should be stored in a central location outside of the project
so that other groups can anticipate future demands.
www.sybex.com
405
Data throughput, measured between nodes per unit of time, usually seconds. This accounts for bursts in the network. Most
designers will not design for bursts, opting for a five-minute
to one-hour average utilization instead. However, if the user
saturates the link for five minutes and the link is idle for the
remaining 55 minutes, this will lead to poor performance as
observed by the user.
Record the customers requirements and constraints and the characteristics of the existing network. This type of document is critical to providing a clear review processdid the project meet the
objectives?
Some argue that this step is not optional and that it should appear earlier in the
process. Experience should provide a guide in your individual environment.
Of course, this list is somewhat utopic. The sad reality is that many of
these steps are skipped in the mad rush to deploy new systems. Nonetheless,
this is a good list to know for the exam and a wonderful target to strive for
in production networks.
Select those items that are most beneficial to your environment and create a
form that addresses them. It doesnt have to be bureaucratic. Rather, use it for
your own reference and augment it as necessary.
www.sybex.com
406
Chapter 12
Network management tools can also aid in the configuration of the network. Programs are available to simplify the establishment of VLANs and
other parameters that would otherwise require manual input with the
command-line interface. Tools can not only speed up the configuration process, but they can allow less-trained workers to perform these tasksthey
will not have to learn the intricacies of the command-line interface (CLI).
While the network-management tools like CiscoWorks can greatly assist
the network administrator, there are other methods that can be used to
obtain information regarding the networks health. These include:
www.sybex.com
Protocol analyzers
407
An out-of-band management VLAN for switches. Out-of-band connections do not traverse the same connections as user data paths,
called in-band connections.
www.sybex.com
408
Chapter 12
Summary
www.sybex.com
Review Questions
409
Review Questions
1. Following the implementation phase of a project, the network design-
ers should:
A. Review the original project goals against the existing implementation
B. Move on to the next project
C. Take a vacation
D. Run down the hall screaming, Bad thing! when the network
crashes
2. Which of the following is not true regarding network-management
tools?
A. They assist administrators by alerting them to potential network
problems.
B. They provide an efficient means of configuring network devices.
C. They replace the need for a good network design.
D. In most cases, they use SNMP and RMON.
3. Following the development of an internetwork structure, the designer
should:
A. Configure the network equipment
B. Determine the business needs
C. Configure the network standards, including naming and
addressing
D. None of the above
www.sybex.com
410
Chapter 12
www.sybex.com
Review Questions
411
www.sybex.com
412
Chapter 12
www.sybex.com
Chapter
13
Advanced Network
Design
www.sybex.com
IP multicast
Redundancy
Troubleshooting
The Internet
Wireless
Case management
Encryption
The bulk of this chapter incorporates concepts that are not part of the Cisco
exam objectives, and so readers are encouraged only to review this material.
Some specific attention should be given to IP multicast, however.
www.sybex.com
IP Multicast
415
IP Multicast
Designers should refer to RFC 1469 for information regarding Token Ring
multicast.
Once the client joins the multicast, the routers are responsible for permitting the data flow to move from the server to the end station. This prevents
the multicast from forwarding onto segments that do not wish to participate.
In addition, the workstation can use the multicast address to determine
whether it wishes to receive the multicast at Layer 2. For non-recipient stations
on the same segment, this eliminates unnecessary interrupts. Figure 13.1 illustrates a typical multicast network. Only those routers that need to forward
the multicast out an interface receive the data stream. The thicker lines and
black serial connection indicate this arrangement. The white serial connections and the thin lines denote a pruned connectionthe multicast is not
forwarded on these links, which ultimately conserves bandwidth. Pruning,
like trimming the branches on a tree, infers that the path from the trunk to
the leaves has been cut.
www.sybex.com
416
Chapter 13
Note that this diagram implies the use of CGMP, or Cisco Group Messaging Protocol. CGMP further parses the multicast flow by limiting it to
specific switch ports. Without this function, all members of the VLAN
would be flooded with the multicastthe switch would have no mechanism
to block the multicast packets from non-recipient ports. CGMP differs from
IGMP (Internet Group Management Protocol), described later in this chapter. CGMP is responsible for blocking multicast traffic from individual ports
on a Cisco switch; IGMP is a workstation-to-router process that instructs the
router to forward the multicast on a segment basis.
FIGURE 13.1
Multicast
Server
Multicast
Receiver
Multicast
Receiver
Multicast
Receiver
Multicast
Receiver
www.sybex.com
IP Multicast
417
First, multicast clients request to join the multicast via an IGMP request
to their local router. The primary rational behind this mechanism is to keep
multicast traffic from forwarding onto a segmentallowing the segment to
be pruned. Note that IGMP is a Layer 3 protocol, operating at the same layer
as IP or ICMP.
Second, designers will need to select a multicast protocol that operates
between the routers in the network. PIM (Protocol Independent Multicast)
is typically found in many deployments. However, DVMRP (Distance Vector Multicast Routing Protocol) is also available. DVMRP is usually found
in installations that connect the MBONE, or the Internets multicast backbone. Ciscos implementation of DVMRP is incomplete, depending on the
IOS (Internet Operating System) version, and so most installations use PIM.
PIM operates in three modes on Cisco routers: dense mode, sparse mode,
and sparse-dense mode. Functionally, each of these modes works to control
the multicast tree; however, sparse mode uses a rendezvous point (RP).
Dense mode is very similar to DVMRPboth protocols assume that bandwidth is not a factor and that all routers wish to join the multicast. Sparse
mode indicates that the routers are farther apart (sparsely populated) and
that bandwidth is typically constrained. This situation is common in WAN
environments; however, sparse mode may be used in LANs as well.
Sparse-mode protocols operate under the premise that each router must
explicitly join the multicast. In this design, each source transmits its multicast along the shortest path to the RP, which distributes the packet to registered receivers.
It is important to note that PIM relies on an underlying unicast routing
protocol regardless of configuration for sparse or dense mode. In addition,
each multicast group should contain a single rendezvous point. Sparse mode
uses a process called shortest path switchover to join and leave the multicast
tree, which conserves bandwidth.
As noted previously, PIM also operates in sparse-dense mode on Cisco
routers. In this configuration, the router will first operate in sparse mode and
will then convert to dense-mode operation if a problem arises. Such a problem
typically involves failure of the RP. Therefore, Cisco recommends the use of
sparse-dense mode for all large-scale multicast deployments. These types of
installation typically involve low-bandwidth or geographically distant links
and require some degree of redundancy. Designers should note that the
RP can be located via two dynamic methodsauto-RP and candidate-RP
announcements. In addition, every router in the multicast group can be configured with a static entry for the RP.
www.sybex.com
418
Chapter 13
The multicast routing protocols are designed primarily to avoid forwarding loops. Consider a generic rule that states that all multicasts are forwarded out all interfaces except the source interface. This method works fine
for simple linear topologies. However, it is easy to understand that a loop
would occur if the topology provided additional paths. For example, router A
forwards to B, which forwards to C, which returns the packet to A.
DVMRP and PIM both operate to prevent looping from occurring by
understanding the network topology and using Reverse Path Forwarding
(RPF). This mechanism uses the distance back to the multicast source and
effectively creates a spanning tree to control the flow of the multicast packets.
RPF is not part of the 802.1d specification but operates as part of a Layer 3
process on the routers participating in the multicast.
www.sybex.com
419
ne of the simplest redundancy options available to network designers is the Cisco proprietary HSRP, or Hot Standby Router Protocol. HSRP
configurations establish two router interfaces on the local subnet and duplicate the MAC address and the IP address on each router. This duplication is
permitted because only one HSRP interface is active at any time. Each interface also has its original IP address and MAC address. This configuration is
illustrated in Figure 13.2, which shows the left router as the HSRP primary
and the right router as the HSRP secondary.
www.sybex.com
420
Chapter 13
FIGURE 13.2
HSRP Secondary
Workstation
One of the keys to a redundant design is the use of monitoring tools and
automatic failover. The term failover defines the actions necessary to provide comparable service in the event of a failurethe network fails over to
another router, for example. In ATM installations, many designers opt to
configure OAM (operation, administration and management) cells. These
cells work to provide connectivity information regarding the entire virtual
circuit, as opposed to the physical connection. Because OAM cells can detect
a failure faster than the routing protocol can, they are used to trigger an
update.
Some network configurations use the backup interface function in the IOS
to activate a standby link in the event of primary failure. This is an excellent
solution for low-bandwidth requirements where circuit costs are high.
Perhaps the most redundant solution is to install multiple paths through
the network. The majority of this book focused on single paths through the
network, in part because this concept is easier to understand. In fact, most
examples in Ciscos extensive library of information and configurations fail
to consider redundant paths through the network unless the specific topic
demands this level of detail.
The best counsel regarding multiple circuit designs is to use a high-end
routing protocol and the hierarchical model. In addition, it is advisable to
consider more than just link failure when mapping circuits.
www.sybex.com
421
From a physical layer perspective, the network can fail at one of three
points. These are illustrated in Figure 13.3.
FIGURE 13.3
Access Location
Failure Scenarios
Distribution Location
Failure Scenarios
WAN Cloud
As shown in Figure 13.3, the middle failure point incorporates the WAN
cloud. This encompasses failures in switching equipment and provider networks. Unfortunately, the only viable method for addressing this failure
scenario is to select diverse providers. This solution can add to the cost of the
network and become a factor when corporate mergers (between telecommunication vendors) occur.
The two end failure points actually encompass two different solution sets.
The first is the physical entry into the building. For critical locations, designers should consider diverse entry paths into the buildingpossibly terminating in two different demarks, or demarcation points. A demarcation point is
the point at which the telephone company turns over the cabling to the business. While this solution adds significantly to the costs, it can prevent a
multitude of failures.
The second solution set incorporates the distribution layer destination.
Consider an access layer site with two circuits from different providers that
terminate into the same distribution layer building. Perhaps the designer
improved on this design by terminating each circuit on a different router.
While this design may be the only one available, the scenario of complete
building failure quickly ruins such a design. Building failure may occur from
an earthquake, a hurricane, a flood, a tornado, or non-nature-driven events,
including civil unrest and power failure. Whenever possible, designers
should opt for two physically separate termination points.
www.sybex.com
422
Chapter 13
www.sybex.com
423
delivery demand an understanding of the session, presentation, and application layers of the OSI model.
The availability of Layer 3 awareness in a switch has also permitted a
migration from the old, flat model. This migration addresses some of the limitations that resulted from the vendor and Layer 2 industry pushshared
media control and spanning-tree control both failed to scale beyond a few
hundred devices in most networks due to the lack of broadcast control. The
general guideline still holds for fewer than 1,000 devices to be placed in a
single broadcast domain, and all of those devices should be well-tuned, IP-only
workstations without a reliance on NetBIOS.
Black Holes
One of the dangers poised by the removal of Layer 2 connections is defined
by the concept of a black hole. A black hole in space is a former star that has
collapsed upon itself and become so dense that its gravity consumes most
matter, including light. The theory is that nothing can escape this attraction,
although Professor Hawking and others have shown that some matter does
escape. The simplified image of a black hole is that all things entering the
black hole are lost.
A black hole in networking is substantially simpler, but the net impact on
a data packet is the samethe packet will be lost forever. Figure 13.4 illustrates the typical Layer 2 design model. As shown, any single physical layer
failure can be resolved at Layer 2no black hole exists.
FIGURE 13.4
Catalyst Switches
Operating at Layer 2
www.sybex.com
424
Chapter 13
Catalyst Switch
Operating at Layer 2
Link Failure
Server 1
www.sybex.com
425
In Figure 13.5, the link between the two core switches shown in Figure 13.4
has been removed. Ignoring the link failure for a moment, note that a physical loop is impossible with this configuration. Host 1 has only one path to
each of the routers on its subnet (via HSRP). Server 1 is the problemits
traffic must traverse the access-layer switch (shown at the top of the diagram) in order to reach the core switch on the left side. This lack of an alternate physical layer path leads to the black-hole scenariothe packet
destined for the server has a 50-50 chance of getting there. The packet may
be forwarded to the workstation segment never received by the server. The
packet ultimately goes nowhere from a data-flow perspective. This scenario
is shown in Figures 13.5 and 13.6; however, the flow of the packets is omitted. Note that there are a number of variations on black holes in terms of
data flow, but the context is the same.
Another difference between Figures 13.5 and 13.6 is the lack of multiple
access-layer switches. This lack leads to one of the disadvantages of the
Layer 3 design. As noted before, this configuration creates the potential for
a black-holed segment with the loss of a single link. This potential is shown
in Figure 13.6.
FIGURE 13.6
Host 1
Catalyst Switch
Operating at Layer 2
Link Failure
Server 1
The solution for the designer is somewhat limiting, although implementation is simplified and the negatives of the Spanning-Tree Protocol in largescale switched networks are negated. By not allowing any intra-VLAN
www.sybex.com
426
Chapter 13
connections except the feed links and the access-layer switch, the designer
may use HSRP or VRRP to provide redundancy and a loop-free configuration. This design admittedly removes some of the advantages of VLANs
the network is again highly reliant upon Layer 3, but that is acceptable in
modern design. With Layer 3 awareness at wire speeds, any performance disadvantages are virtually negated and the benefits of broadcast control are
added.
www.sybex.com
427
Access lists can provide a good front-line defense, but attention should
also be given to network performance.
Firewalls and bastion hosts certainly help to provide data security, but
they must be well understood by administrators.
www.sybex.com
428
Chapter 13
Depending on the reference cited, up to 90 percent of attacks originate from inside the network, effectively bypassing most firewall
installations.
In addition to the network processes, designers should work with administration and other departments to provide the best security solution. This
will frequently include scanning for viruses, controlling passwords, and
using diskless workstations and encryption.
Companies frequently rush to deploy new services for customers that may
compromise the best security models. One of these services is the self-service
kiosk, a terminal that is available to customers in a business office or remote
location. These devices frequently compare with automated teller machines,
although their functionality is often much greater. They can pose a substantial security threat when placed on the same network as the corporate
workersan event that occurs regularly. Most companies rely on physical
security to protect their computer systemsit should be difficult to walk
into an organization and start entering data on a networked computer. Consider the impact of a hacker using a locally connected machine to launch an
attack or placing a protocol analyzer on the segmentpasswords and other
data could easily be compromised. Another risk is the potential for questionable
material to be loaded onto the kiosk machinean adult Web site, for
example. The public relations impact of this prank alone could be very damaging to the company.
The kiosk concept makes such attacks even simpler. Many companies
have rushed to deploy these solutions and have used the standard workstation software image (software configuration loaded to all machines in the
enterprise)the one with the populated hosts filein deployment. As noted
previously, some companies have even placed these stations on the same network segment as regular production traffic with no security whatsoever.
www.sybex.com
429
Fortunately, the majority of readers already realize just how dangerous this
design can be. It thus becomes the job of the designer to understand the business needs and then educate the business on the risks that it is facing.
www.sybex.com
430
Chapter 13
Case Management
www.sybex.com
431
the possibility of a larger failure. This can easily shorten the diagnostic process since administrators are focused on a single problem instead of looking
at each call as an isolated issue.
Many organizations are also providing real-time network data to end
users, or at least small groups of end users. This preemptive measure can
greatly reduce the number of calls reporting a network capacity problem
(described in the next section) because the user can see that a link is operating
at only five percentthus showing that the problem is likely not caused by
excessive utilization. While this does not exonerate the network, it does
squelch the call to immediately upgrade the circuit. By providing this information, the designers and architect can initiate a stronger dialog with their
users.
www.sybex.com
432
Chapter 13
Capacity planning is possible, and there are general easily implemented rules.
For example, a redundant serial connection would likely require attention and
expansion once the individual link utilization reaches 35 percentallowing
for sufficient bandwidth upon a single link failure.
Encryption
www.sybex.com
Encryption
433
Cisco recently added secure shell services to the IOS, which provides another
solution.
www.sybex.com
434
Chapter 13
The majority of this text addressed some of the more basic concerns in
network design. In reality, future designs will prove to be much more difficult for designers to implement, relative to today, depending on whom you
ask. Today, most designers are concerned with connecting workstations to
servers and mainframes, and while remote access, wireless, and videoconferencing are all portions of the modern network, the current focus is on
a fairly simple model wherein a relatively small number of devices communicate over clusters of networks that loosely interconnect.
In the future, the network will substantially increase in complexity. For
example, not only will data require secure connections, but it will also
www.sybex.com
435
Throughout this text, the term Internet has been used to mean the Internet
that evolved from ARPANETalso called Internet One (I One). No dialog on
the future of networking would be complete without noting the efforts in place
to establish better networks dedicated to specific tasks, including academic
research. However, the use of the term Internet does not encompass the
Internet Two (I2) project or any of the other new networks.
In the academic arena, engineers and technologists are using systems that
may ultimately drive the need for a capacity of over 5Gbps per user. These
systems include components beyond virtual reality, wherein individuals
relate with each other via sensors and feedback pressure suits. It is conceivable,
according to some futurists, that the holodeck from Star Trek will be a
reality within 50 yearsthe technology of today already mimics significant
components of science fiction.
It will be interesting to see exactly what network services become commonplace in society. Today, many people carry cellular phones, PDAs (personal digital assistants), pagers, and watches; there is little reason not to
combine all of these devices into a single unit. At present, most users continue to carry multiple devices for historical, user-interface, power, or availability reasons.
Consider the following scenario: What would happen if all such devices
automatically communicated with each other? The demands on the network
become fairly clear. For this example, consider that no fundamental changes
have occurred from a business or humanistic perspective.
Lets say I received an e-mail message informing me that a friend is flying
into the local airport at noon. I received the message at 10 a.m., and Ive just
gone to a meeting.
What if the network allowed a parser (a program that scans text) in my email application to identify this message as being importantbeyond the
scope of urgent used today. The application could connect to my PDA over
www.sybex.com
436
Chapter 13
a wireless link and determine that I had just entered a meeting. Rather than
disturbing me, the application could also determine that I had no plans for
lunch. The application could send a response to my friend noting that I was
unavailable to confirm, but that I would tentatively agree to lunch. Another
application could propose three restaurants in the area.
My friend would respond to the e-mail and note that the $100-hamburger
place at the airport was fine (ask a pilot if you dont get the reference). My
calendar (possibly as part of my PDA) would automatically receive the
update and, when my meeting was over, pop up a confirmation. An application could also automatically make a reservation at the restaurant, again
over the network.
Notice how much of this exchange relied on the application layer and not
the network. However, the applications required complete interconnectivity
between deviceswireline and wirelessin order to complete the process.
It is likely that the majority of the hurdles in the foreseeable future will be
based in Layer 8politics. Even the end-user financial issues will pale in
comparison, according to many researchers. As the model migrates toward
services rather than transport, network designers will likely need to concern
themselves less with the minutiae of packet flows and more with the interoperability of the services themselves. Stated another way, the challenge will be
to explain and address corporate needs in nontechnical ways while also
understanding the interoperability of the applications and their individual
links. Billing for packets, for example, may become one of many new areas
that require attention from the designer.
Few would argue that the computer revolution has just begun. There are
legitimate concerns regarding the ability of the marketplace to continue support of such rapid and massive change. However, it appears probable that
change will continue at a rapid pace.
Summary
This chapter dealt with some of the issues that confront network
designers but that are not part of the Cisco exam objectives. In reality, this
chapter could continue for quite some length, as the release of new products
requires an ever-increasing dialog regarding the functionality that can be
exploited from network technology.
www.sybex.com
Summary
437
I hope that youve enjoyed this text and wish you luck on both your exam
and future endeavors. I sincerely believe that this text, coupled with some
real-world experience, will easily prepare you for the CID exam. I also hope
that this text will also become part of your permanent library for reference
and reflectionTodd and I have both worked to add value that will transcend the short-term goal of certification.
www.sybex.com
438
Chapter 13
Review Questions
1. IP multicast uses which class of IP address?
A. Class A
B. Class B
C. Class C
D. Class D
2. Which proprietary protocol is used by Cisco switches to control mul-
ticasts at Layer 2?
A. PIM
B. EIGRP
C. CGMP
D. IGMP
3. Which protocol is used by a workstation to inform the router that it
www.sybex.com
Review Questions
439
interface
B. Allows the administrator to see which packets traversed which
www.sybex.com
440
Chapter 13
network
D. Can occur only with token-passing topologies
10. One reason to create networks based on Layer 3 is:
A. To avoid spanning-tree reliance
B. To avoid the need for routers
C. To allow for HSRP
D. To support multicast sparse-mode operations
11. Designing the network with troubleshooting in mind can:
A. Simplify outage scheduling and isolate systems
B. Lead to problems
C. Compel the designer to use VLSM
D. Negate the use of OSPF
12. True or false: Most network attacks can be thwarted with a perimeter
firewall.
A. True
B. False
www.sybex.com
Review Questions
441
www.sybex.com
442
Chapter 13
MAC address.
A. True
B. False
20. The first three octets of a multicast MAC address start with:
A. FF:FF:FF
B. 01:00:5E
C. Depends on the IP address
D. Is equal to the MAC address of the source
www.sybex.com
444
Chapter 13
www.sybex.com
Appendix
Practice Exam
www.sybex.com
tunneling?
A. Direct
B. HDLC
C. RSRB
D. TCP/IP
www.sybex.com
Practice Exam
447
of the following?
A. RSRB
B. APPN
C. DLSw+
D. None of the above
5. The RIF includes:
A. Ring numbers and SNA addresses
B. Ring numbers and IP addresses
C. Ring numbers and bridge numbers
D. Bridge numbers and SNA addresses
6. Each FEP must maintain a different LAA. True or false?
A. True
B. False
7. Traditional source-route bridging would be most efficient in which
www.sybex.com
448
Appendix A
Practice Exam
router will:
A. Flood the entire AS for a new route
B. Flood the entire network, including redistributed protocols, for a
route
C. Wait for the next update window and listen for an announcement
www.sybex.com
Practice Exam
www.sybex.com
449
450
Appendix A
Practice Exam
network
D. Disables IPX routing and enables bridging
18. IP eXchange:
A. Requires a Unix server
B. Needs a single IP address for all clients
C. Tunnels IPX packets in IP datagrams
D. Is a high-speed file transfer protocol
19. An NLSP area should be limited to:
A. 100 nodes
B. 200 nodes
C. 400 nodes
D. 800 nodes
20. Assuming a Cisco router is in an environment that has six IPX routes
of equal cost, how many routes will the router use by default?
A. One IPX route
B. Two IPX routes
C. Four IPX routes
D. All IPX routes of equal cost
www.sybex.com
Practice Exam
451
www.sybex.com
452
Appendix A
Practice Exam
26. A workgroup:
A. Requires the use of a domain controller
B. Requires membership in a domain
C. Requires the use of WINS and DHCP
D. Can be created by any two nodes
27. A network requires redundancy whenever possible. Which of the fol-
dows networks?
A. Broadcasts
B. DHCP
C. DNS
D. WINS
29. Well-designed IP networks with broadcast controls can support up to:
A. 100 hosts
B. 200 hosts
C. 500 hosts
D. 1000 hosts
30. NetBIOS cannot run on Unix systems. True or false?
A. True
B. False
www.sybex.com
Practice Exam
following?
A. Annex D
B. Annex A
C. Frame Relay Forum LMI
D. AAL 5 LMI
www.sybex.com
453
454
Appendix A
Practice Exam
in WAN design?
A. Termination equipment
B. Routers
C. Switches
D. Circuits
37. Compared to LANs, are wide area networks generally more or less
reliable?
A. WANs are more reliable.
B. WANs are less reliable.
38. Which of the following provides the best reason to use VPN
technology?
A. Lower access charges
B. Higher security
C. Fault tolerance
D. None of the above
39. For security, which provides the best protection from hackers?
A. Private copper
B. Private fiber
C. Public copper
D. Public fiber
www.sybex.com
Practice Exam
455
40. The router dynamically permits access into the network based on out-
www.sybex.com
456
Appendix A
Practice Exam
44. What should the designer do when designing a tunnel for AppleTalk
www.sybex.com
Practice Exam
457
48. Cisco switches (Catalyst 5000 series) can connect to which of the
10Mbps Ethernet hub. The theoretical increase in available bandwidth for 12 stations is:
A. The same
B. Doubled
C. Increased by a factor of 12
D. Not enough information provided
www.sybex.com
458
Appendix A
Practice Exam
www.sybex.com
25. C.
26. D.
27. D.
28. B.
29. D.
30. B.
31. D.
32. D.
33. B.
34. C.
35. D.
36. D.
37. B.
38. A.
39. B.
40. C.
41. B.
42. A.
43. A.
44. A, B.
45. A.
46. C.
47. B.
48. D.
www.sybex.com
459
460
Appendix A
Practice Exam
49. C.
50. C.
www.sybex.com
Appendix
Bonus Exam
www.sybex.com
(Select two.)
A. Connected interfaces
B. BootP packets
C. Information learned from dynamic routing protocols
D. DHCP packets
www.sybex.com
Bonus Exam
463
www.sybex.com
464
Appendix B
Bonus Exam
www.sybex.com
Bonus Exam
www.sybex.com
465
466
Appendix B
Bonus Exam
19. The use of subinterfaces in X.25 can avoid problems typically found
subnets?
A. Secondaries
B. Tunnels
C. Classless routing protocols
D. All of the above
E. None of the above
22. Routers operate:
A. At Layer 2 and are slower than switches
B. At Layer 2 and are faster than switches
C. At Layer 3 and are faster than switches
D. At Layer 3 and are slower than switches
www.sybex.com
Bonus Exam
467
enterprise is:
A. The return of public addresses
B. Direct connectivity to the Internet
C. Faster assignment of addresses from the ISPthe numbering
a group address?
A. ATM
B. SMDS
C. Frame Relay
D. ISDN
www.sybex.com
468
Appendix B
Bonus Exam
resort routes
D. Selection of resources based on previously existing connections
29. In order to obtain the most scalability, designers should use:
A. AppleTalk phase one
B. AppleTalk phase two
C. AppleTalk phase three
D. MacIP
30. Which of the following are true regarding AppleTalk?
A. All of its routing protocols on Cisco routers require the use of
split-horizon.
B. Its default routing protocol is NLSP.
C. Its default routing protocol is AURP.
D. With its default routing protocol, the network diameter is limited
to 15 hops.
www.sybex.com
Bonus Exam
469
merge voice and data in the WAN. The best preliminary solution
would be to:
A. Deploy FastEthernet
B. Deploy ATM LANE
C. Deploy ATM
D. Deploy FDDI
35. Which RFC defines the private address space in IP? (Select two.)
A. RFC 1597
B. RFC 1009
C. RFC 1918
D. RFC 1819
www.sybex.com
470
Appendix B
Bonus Exam
www.sybex.com
Bonus Exam
471
www.sybex.com
472
Appendix B
Bonus Exam
loops?
A. Holddown timers
B. VLSM
C. Poison reverse
D. Route summarization
46. Link failure is detected with carrier loss or which of the following?
A. Redistribution
B. Keepalive timers
C. CDP packets
D. None of the above
47. True or false: OSPF is classful.
A. A. True
B. B. False
48. NAT, as opposed to NAT overload or PAT, supports which of the
following?
A. A single IP address
B. A pool of IP addresses
C. A pool of IP networks
D. Any of the above
www.sybex.com
Bonus Exam
473
49. The designer has four DLCIs in the Frame Relay network terminating
www.sybex.com
474
Appendix B
Bonus Exam
www.sybex.com
25. A.
26. B.
27. A.
28. B, D
29. B.
30. D.
31. B.
32. A.
33. C.
34. C.
35. A, C.
36. E.
37. D.
38. B.
39. A, C, D.
40. C.
41. C.
42. D.
43. B.
44. B.
45. A, C.
46. B.
47. B.
48. B.
49. A.
50. A.
www.sybex.com
475
476
Appendix B
Bonus Exam
51. C.
52. Good luck on the exam!
www.sybex.com
Appendix
References
www.sybex.com
Web-Based Resources
While every effort has been made to provide an accurate list, the dynamic
nature of the Internet and the static nature of this text will likely result in
invalid references over time.
www.sybex.com
Web-Based Resources
WAN Technologies
Organization
URL
ADSL Forum
www.adsl.com
DSL Life
www.dsllife.com
www.frforum.com
www.atmforum.com/index.html
Commercial Communications
Standards
www-comm.itsi.disa.mil/isdn/
index.html
www.niuf.nist.gov/
Operating Systems
Organization
URL
Apple
www.apple.com
Novell
www.novell.com
Microsoft
www.microsoft.com
CNET: WinFiles
www.winfiles.com
Linux
www.linux.org
URL
www.ietf.cnri.reston.va.us/
home.html
www.cis.ohio-state.edu/
hypertext/information/
rfc.html
IEEE
www.ieee.org
www.sybex.com
479
480
Appendix C
References
Other
Organization
URL
3Com
www.3com.com
Business 2.0
www.business2.com
Cisco Systems
www.cisco.com
teledotcom.com
www.cosn.org
www.dmtf.org
www.ens.net/trends.htm
www.lammle.com
GTE Internetworking
www.bbn.com/securitymatters
IBM
www.networking.ibm.com
International Telecommunication
Union
www.itu.org
whatis.com/itraffic.htm
www.l0pht.com
www.mae.net
www.nwfusion.com
NewBridge
www.newbridge.com
Nortel Networks
www.nortelnetworks.com
www.ovforum.org
PC Week
www.pcweek.com
Pittsburgh Supercomputing
Center
www.psc.edu/networking
www.sybex.com
Web-Based Resources
Organization
URL
Securitywatch.com
www.securitywatch.com
Slashdot
www.slashdot.org
Sun Microsystems
docs.sun.com
Telecom Research
www.telecomresearch.com
www.wirelessethernet.org
Ziff-Davis
www.zdnet.com
Study Groups
Organization
URL
NetCerts
www.netcerts.com
www.ciscopaw.com
www.boson.com
Groupstudy.com
www.groupstudy.com
www.networkstudyguides.com
www.sybex.com
481
482
Appendix C
References
www.modisit.com
www.monster.com
www.realrates.com
www.skillsvillage.com
www.techies.com
www.vault.com
Humor
www.userfriendly.org
www.dilbert.com
RFCs
It would be inappropriate to reprint the entire RFC index in this text.
A number of Web sites provide this information in a continually updated
manner. This list is intended to highlight some of the more important and
frequently referred to RFCs.
1055SLIP
1483ATM AAL5, Multiprotocol Encapsulation
1487LDAP
1490Multiprotocol Connect over Frame Relay
1492TACACS
1577ATM ARP
1586OSPF on Frame Relay
1631NAT
1661PPP
1700IP Assigned Numbers
1918Private IP v.4 Address Space
1925The 12 Networking Truths (the most important RFC?)
1990PPP Multilink Protocol
2002IP Mobility
2132DHCP Options
2281HSRP
2324Hyper Text Coffee Pot Control Protocol (really)
2328OSPF v.2
2338VRRP
2676OSPF QoS
2740OSPF IP v.6
www.sybex.com
Glossary
www.sybex.com
www.sybex.com
Glossary
485
www.sybex.com
486
Glossary
ACR allowed cell rate: A designation defined by the ATM Forum for
managing ATM traffic. Dynamically controlled using congestion control
measures, the ACR varies between the minimum cell rate (MCR) and the
peak cell rate (PCR). See also: MCR and PCR.
active monitor The mechanism used to manage a Token Ring. The network node with the highest MAC address on the ring becomes the active
monitor and is responsible for management tasks such as preventing loops
and ensuring tokens are not lost.
address mapping By translating network addresses from one format
to another, this methodology permits different protocols to operate interchangeably.
address mask A bit combination descriptor identifying which portion of
an address refers to the network or subnet and which part refers to the host.
Sometimes simply called the mask. See also: subnet mask.
address resolution The process used for resolving differences between
computer addressing schemes. Address resolution typically defines a method
for tracing network layer (Layer 3) addresses to data-link layer (Layer 2)
addresses. See also: address mapping.
adjacency The relationship made between defined neighboring routers
and end nodes, using a common media segment, to exchange routing
information.
administrative distance A number between 0 and 225 that expresses the
value of trustworthiness of a routing information source. The lower
the number, the higher the integrity rating.
administrative weight A value designated by a network administrator to
rate the preference given to a network link. It is one of four link metrics
exchanged by PTSPs to test ATM network resource availability.
ADSU ATM Data Service Unit: The terminal adapter used to connect to an
ATM network through an HSSI-compatible mechanism. See also: DSU.
advertising The process whereby routing or service updates are transmitted at given intervals, allowing other routers on the network to maintain
a record of viable routes.
www.sybex.com
Glossary
487
AEP AppleTalk Echo Protocol: A test for connectivity between two AppleTalk nodes where one node sends a packet to another and receives an echo,
or copy, in response.
AFI Authority and Format Identifier: The part of an NSAP ATM address
that delineates the type and format of the IDI section of an ATM address. See
also: IDI and NSAP.
AFP AppleTalk Filing Protocol: A presentation-layer protocol, supporting
AppleShare and Mac OS File Sharing, that permits users to share files and
applications on a server.
AIP ATM Interface Processor: Supporting AAL3/4 and AAL5, this interface for Cisco 7000 series routers minimizes performance bottlenecks at the
UNI. See also: AAL3/4 and AAL5.
algorithm A set of rules or process used to solve a problem. In networking,
algorithms are typically used for finding the best route for traffic from a
source to its destination.
alignment error An error occurring in Ethernet networks, in which a
received frame has extra bits; that is, a number not divisible by eight. Alignment errors are generally the result of frame damage caused by collisions.
all-routes explorer packet An explorer packet that can move across an
entire SRB network, tracing all possible paths to a given destination. Also
known as an all-rings explorer packet. See also: explorer packet, local
explorer packet, and spanning explorer packet.
AM Amplitude Modulation: A modulation method that represents information by varying the amplitude of the carrier signal. See also: modulation.
AMI Alternate Mark Inversion: A line-code type on T1 and E1 circuits that
shows zeros as 01 during each bit cell, and ones as 11 or 00, alternately, during each bit cell. The sending device must maintain ones density in
AMI but not independently of the data stream. Also known as binary-coded,
alternate mark inversion. Contrast with: B8ZS. See also: ones density.
amplitude
analog transmission Signal messaging whereby information is represented by various combinations of signal amplitude, frequency, and phase.
www.sybex.com
488
Glossary
ANSI American National Standards Institute: The organization of corporate, government, and other volunteer members that coordinates standardsrelated activities, approves U.S. national standards, and develops U.S. positions in international standards organizations. ANSI assists in the creation of
international and U.S. standards in disciplines such as communications, networking, and a variety of technical fields. It publishes over 13,000 standards, for engineered products and technologies ranging from screw threads
to networking protocols. ANSI is a member of the IEC and ISO. See also:
IEC and ISO.
anycast An ATM address that can be shared by more than one end system,
allowing requests to be routed to a node that provides a particular service.
AppleTalk Currently in two versions, the group of communication protocols designed by Apple Computer for use in Macintosh environments. The
earlier Phase 1 protocols support one physical network with only one network number that resides in one zone. The later Phase 2 protocols support
more than one logical network on a single physical network, allowing networks to exist in more than one zone. See also: zone.
application layer Layer 7 of the OSI reference network model, supplying
services to application procedures (such as electronic mail or file transfer)
that are outside the OSI model. This layer chooses and determines the availability of communicating partners along with the resources necessary to
make the connection, coordinates partnering applications, and forms a consensus on procedures for controlling data integrity and error recovery.
See also: data-link layer, network layer, physical layer, presentation
layer, session layer, and transport layer.
ARA AppleTalk Remote Access: A protocol for Macintosh users establishing their access to resources and data from a remote AppleTalk location.
area A logical, rather than physical, set of segments (based on either
CLNS, DECnet, or OSPF) along with their attached devices. Areas are commonly connected to others using routers to create a single autonomous
system. See also: autonomous system.
ARM Asynchronous Response Mode: An HDLC communication mode
using one primary station and at least one additional station, in which transmission can be initiated from either the primary or one of the secondary
units.
www.sybex.com
Glossary
489
ARP Address Resolution Protocol: Defined in RFC 826, the protocol that
traces IP addresses to MAC addresses. See also: RARP.
ASBR Autonomous System Boundary Router: An area border router
placed between an OSPF autonomous system and a non-OSPF network
that operates both OSPF and an additional routing protocol, such as RIP.
ASBRs must be located in a non-stub OSPF area. See also: ABR, non-stub
area, and OSPF.
ASCII American Standard Code for Information Interchange: An eightbit code for representing characters, consisting of seven data bits plus one
parity bit.
ASN.1 Abstract Syntax Notation One: An OSI language used to describe
types of data that is independent of computer structures and depicting
methods. Described by ISO International Standard 8824.
ASP AppleTalk Session Protocol: A protocol employing ATP to establish,
maintain, and tear down sessions, as well as sequence requests. See also: ATP.
AST Automatic Spanning Tree: A function that supplies one path for spanning explorer frames traveling from one node in the network to another, supporting the automatic resolution of spanning trees in SRB networks. AST is
based on the IEEE 802.1 standard. See also: IEEE 802.1 and SRB.
asynchronous transmission Digital signals sent without precise timing,
usually with different frequencies and phase relationships. Asynchronous
transmissions generally enclose individual characters in control bits (called
start and stop bits) that show the beginning and end of each character.
Contrast with: isochronous transmission and synchronous transmission.
ATCP AppleTalk Control Program: The protocol for establishing and configuring AppleTalk over PPP, defined in RFC 1378. See also: PPP.
ATDM Asynchronous Time-Division Multiplexing: A technique for
sending information, it differs from normal TDM in that the time slots are
assigned when necessary rather than preassigned to certain transmitters.
Contrast with: FDM, statistical multiplexing, and TDM.
ATG Address Translation Gateway: The mechanism within Cisco DECnet
routing software that enables routers to route multiple, independent
DECnet networks and to establish a user-designated address translation
for chosen nodes between networks.
www.sybex.com
490
Glossary
www.sybex.com
Glossary
491
www.sybex.com
492
Glossary
backbone The basic portion of the network that provides the primary
path for traffic sent to and initiated from other networks.
back end A node or software program supplying services to a front end.
See also: client, front end, and server.
bandwidth The gap between the highest and lowest frequencies employed
by network signals. More commonly, it refers to the rated throughput
capacity of a network protocol or medium.
baseband A feature of a network technology that uses only one carrier frequency, for example Ethernet. Also named narrowband. Compare with:
broadband.
baud Synonymous with bits per second (bps), if each signal element represents one bit. It is a unit of signaling speed equivalent to the number of
separate signal elements transmitted per second.
B channel Bearer channel: A full-duplex, 64Kbps channel in ISDN that
transmits user data. Compare with: D channel, E channel, and H channel.
beacon An FDDI device or Token Ring frame that points to a serious
problem with the ring, such as a broken cable. The beacon frame carries the
address of the station thought to be down. See also: failure domain.
BECN Backward Explicit Congestion Notification: BECN is the bit set by
a Frame Relay network in frames moving away from frames headed into a
congested path. A DTE that receives frames with the BECN may ask
higher-level protocols to take necessary flow-control measures. Compare
with: FECN.
BGP4 BGP Version 4: Version 4 of the interdomain routing protocol most
commonly used on the Internet. BGP4 supports CIDR and uses routecounting mechanisms to decrease the size of routing tables. See also: CIDR.
binary A two-character numbering method that uses ones and zeros. The
binary numbering system underlies all digital representation of information.
BIP Bit Interleaved Parity: A method used in ATM to monitor errors on a
link, sending a check bit or word in the link overhead for the previous block
or frame. This allows bit errors in transmissions to be found and delivered as
maintenance information.
www.sybex.com
Glossary
493
BISDN Broadband ISDN: ITU-T standards created to manage highbandwidth technologies such as video. BISDN presently employs ATM
technology along SONET-based transmission circuits, supplying data
rates between 155Mbps and 622Mbps and beyond. Contrast with N-ISDN.
See also: BRI, ISDN, and PRI.
bit-oriented protocol Regardless of frame content, the class of data-link
layer communication protocols that transmits frames. Bit-oriented protocols, as compared with byte-oriented, supply more efficient and trustworthy,
full-duplex operation. Compare with: byte-oriented protocol.
border gateway A router that facilitates communication with routers in
different autonomous systems.
BPDU Bridge Protocol Data Unit: A Spanning-Tree Protocol initializing
packet that is sent at definable intervals for the purpose of exchanging information among bridges in networks.
BRI Basic Rate Interface: The ISDN interface that facilitates circuitswitched communication between video, data, and voice; it is made up of
two B channels (64Kbps each) and one D channel (16Kbps). Compare with:
PRI. See also: BISDN, ISN.
bridge A device for connecting two segments of a network and transmitting packets between them. Both segments must use identical protocols to
communicate. Bridges function at the data-link layer, Layer 2 of the OSI reference model. The purpose of a bridge is to filter, send, or flood any
incoming frame, based on the MAC address of that particular frame.
broadband A transmission methodology for multiplexing several independent signals onto one cable. In telecommunications, broadband is classified as any channel with bandwidth greater than 4kHz (typical voice grade).
In LAN terminology, it is classified as a coaxial cable on which analog
signaling is employed. Also known as wideband. Contrast with: baseband.
broadcast A data frame or packet that is transmitted to every node on the
local network segment (as defined by the broadcast domain). Broadcasts are
known by their broadcast address, which is a destination network and host
address with all the bits turned on. Also called local broadcast. Compare
with: directed broadcasts.
www.sybex.com
494
Glossary
broadcast domain A group of devices receiving broadcast frames initiating from any device within the group. Because they do not forward broadcast frames, broadcast domains are generally surrounded by routers.
broadcast storm An undesired event on the network caused by the simultaneous transmission of any number of broadcasts across the network segment. Such an occurrence can overwhelm network bandwidth, resulting in
time-outs.
buffer A storage area dedicated to handling data while in transit. Buffers
are used to receive/store sporadic deliveries of data bursts, usually received
from faster devices, compensating for the variations in processing speed.
Incoming information is stored until everything is received prior to sending
data on. Also known as an information buffer.
bus topology A linear LAN architecture in which transmissions from various stations on the network are reproduced over the length of the medium
and are accepted by all other stations. Compare with: ring, star, and tree
topologies.
bus Any physical path, typically wires or copper, through which a digital
signal can be used to send data from one part of a computer to another.
BUS broadcast and unknown server: In LAN emulation, the hardware or
software responsible for resolving all broadcasts and packets with unknown
(unregistered) addresses into the point-to-point virtual circuits required by
ATM. See also: LEC, LECS, LES, and LANE.
BX.25
bypass mode
an interface.
www.sybex.com
Glossary
495
www.sybex.com
496
Glossary
cell In ATM networking, the basic unit of data for switching and multiplexing. Cells have a defined length of 53 bytes, including a 5-byte header
that identifies the cells data stream and 48 bytes of payload. See also: cell
relay.
cell payload scrambling The method by which an ATM switch maintains
framing on some medium-speed edge and trunk interfaces (T3 or E3 circuits). Cell payload scrambling rearranges the data portion of a cell to maintain the line synchronization with certain common bit patterns.
cell relay A technology that uses small packets of fixed size, known as
cells. Their fixed length enables cells to be processed and switched in hardware at high speeds, making this technology the foundation for ATM and
other high-speed network protocols. See also: cell.
Centrex A local exchange carrier service, providing local switching that
resembles that of an on-site PBX. Centrex has no on-site switching capability. Therefore, all customer connections return to the CO. See also: CO.
CER Cell Error Ratio: The ratio in ATM of transmitted cells having errors to
the total number of cells sent in a transmission within a certain span of time.
channelized E1 Operating at 2.048Mpbs, an access link that is sectioned
into 29 B channels and one D channel, supporting DDR, Frame Relay, and
X.25. Compare with: channelized T1.
channelized T1 Operating at 1.544Mbps, an access link that is sectioned
into 23 B channels and one D channel of 64Kbps each, where individual
channels or groups of channels connect to various destinations, supporting
DDR, Frame Relay, and X.25. Compare with: channelized E1.
CHAP Challenge Handshake Authentication Protocol: Supported on lines
using PPP encapsulation, it is a security feature that identifies the remote end,
helping keep out unauthorized users. After CHAP is performed, the router or
access server determines whether a given user is permitted access. It is a
newer, more secure protocol than PAP. Compare with: PAP.
checksum A test for ensuring the integrity of sent data. It is a number calculated from a series of values taken through a sequence of mathematical functions, typically placed at the end of the data from which it is calculated, and
then recalculated at the receiving end for verification. Compare with: CRC.
www.sybex.com
Glossary
497
choke packet When congestion exists, it is a packet sent to inform a transmitter that it should decrease its sending rate.
CIDR Classless Interdomain Routing: A method supported by classless
routing protocols, such as OSPF and BGP4, based on the concept of ignoring
the IP class of address, permitting route aggregation and VLSM that enable
routers to combine routes in order to minimize the routing information that
needs to be conveyed by the primary routers. It allows a group of IP networks to appear to other networks as a unified, larger entity. In CIDR, IP
addresses and their subnet masks are written as four dotted octets, followed
by a forward slash and the numbering of masking bits (a form of subnet
notation shorthand). See also: BGP4.
CIP Channel Interface Processor: A channel attachment interface for use in
Cisco 7000 series routers that connects a host mainframe to a control unit.
This device eliminates the need for an FBP to attach channels.
CIR Committed Information Rate: Averaged over a minimum span of time
and measured in bps, a Frame Relay networks agreed-upon minimum rate
of transferring information.
Cisco FRAD Cisco Frame Relay access device: A Cisco product that supports Cisco IPS Frame Relay SNA services, connecting SDLC devices to
Frame Relay without requiring an existing LAN. May be upgraded to a
fully functioning multiprotocol router. Can activate conversion from
SDLC to Ethernet and Token Ring, but does not support attached LANs.
See also: FRAD.
CiscoFusion Ciscos name for the internetworking architecture under
which its Cisco IOS operates. It is designed to fuse together the capabilities
of its disparate collection of acquired routers and switches.
Cisco IOS software Cisco Internet Operating System software. The
kernel of the Cisco line of routers and switches that supplies shared functionality, scalability, and security for all products under its CiscoFusion
architecture. See also: CiscoFusion.
CiscoView GUI-based management software for Cisco networking
devices, enabling dynamic status, statistics, and comprehensive configuration information. Displays a physical view of the Cisco device chassis and
provides device-monitoring functions and fundamental troubleshooting
capabilities. May be integrated with a number of SNMP-based network
management platforms.
www.sybex.com
498
Glossary
classical IP over ATM Defined in RFC 1577, the specification for running
IP over ATM that maximizes ATM features. Also known as CIA.
CLP Cell Loss Priority: The area in the ATM cell header that determines
the likelihood of a cell being dropped during network congestion. Cells with
CLP = 0 are considered insured traffic and are not apt to be dropped. Cells
with CLP = 1 are considered best-effort traffic that may be dropped during
congested episodes, delivering more resources to handle insured traffic.
CLR Cell Loss Ratio: The ratio of discarded cells to successfully delivered
cells in ATM. CLR can be designated a QoS parameter when establishing a
connection.
CO Central Office: The local telephone company office where all loops in
a certain area connect and where circuit switching of subscriber lines occurs.
collapsed backbone A nondistributed backbone where all network segments are connected to each other through an internetworking device. A collapsed backbone can be a virtual network segment at work in a device such
as a router, hub, or switch.
collision The effect of two nodes sending transmissions simultaneously in
Ethernet. When they meet on the physical media, the frames from each node
collide and are damaged. See also: collision domain.
collision domain The network area in Ethernet over which frames that
have collided will spread. Collisions are propagated by hubs and repeaters,
but not by LAN switches, routers, or bridges. See also: collision.
configuration register A 16-bit configurable value stored in hardware or
software that determines how Cisco routers function during initialization. In
hardware, the bit position is set using a jumper. In software, it is set by specifying specific bit patterns used to set startup options, configured using a
hexadecimal value with configuration commands.
congestion
www.sybex.com
Glossary
499
www.sybex.com
500
Glossary
www.sybex.com
Glossary
501
www.sybex.com
502
Glossary
DDP Datagram Delivery Protocol : Used in the AppleTalk suite of protocols as a connectionless protocol that is responsible for sending datagrams
through an internetwork.
DDR dial-on-demand routing: A technique that allows a router to automatically initiate and end a circuit-switched session per the requirements of
the sending station. By mimicking keepalives, the router fools the end station
into treating the session as active. DDR permits routing over ISDN or telephone lines via a modem or external ISDN terminal adapter.
default route The static routing table entry used to direct frames whose
next hop is not spelled out in the dynamic routing table.
delay The time elapsed between a senders initiation of a transaction and
the first response they receive. Also, the time needed to move a packet from
its source to its destination over a path. See also: latency.
demarc The demarcation point between the customer premises equipment
(CPE) and the telcos carrier equipment.
demodulation A series of steps that return a modulated signal to its original form. When receiving, a modem demodulates an analog signal to its
original digital form (and, conversely, modulates the digital data it sends into
an analog signal). See also: modulation.
demultiplexing The process of converting a single multiplex signal, comprising more than one input stream, back into separate output streams. See
also: multiplexing.
designated bridge In the process of forwarding a frame from a segment
to the route bridge, the bridge with the lowest path cost.
designated router An OSPF router that creates LSAs for a multiaccess
network and is required to perform other special tasks in OSPF operations.
Multiaccess OSPF networks that maintain a minimum of two attached
routers identify one router that is chosen by the OSPF Hello protocol, which
makes possible a decrease in the number of adjacencies necessary on a multiaccess network. This in turn reduces the quantity of routing protocol traffic
and the physical size of the database.
www.sybex.com
Glossary
503
destination address The address for the network devices that will receive
a packet.
directed broadcast A data frame or packet that is transmitted to a specific
group of nodes on a remote network segment. Directed broadcasts are
known by their broadcast address, which is a destination subnet address
with all the bits turned on. Compare with: local broadcasts.
discovery mode Also known as dynamic configuration, this technique is
used by an AppleTalk interface to gain information from a working node
about an attached network. The information is subsequently used by the
interface for self-configuration.
distance-vector routing algorithm In order to find the shortest path, this
group of routing algorithms repeats on the number of hops in a given route,
requiring each router to send its complete routing table with each update,
but only to its neighbors. Routing algorithms of this type tend to generate
loops, but they are fundamentally simpler than their link-state counterparts.
See also: link-state routing algorithm and SPF.
DLCI Data-Link Connection Identifier: Used to identify virtual circuits in a
Frame Relay network.
DNS
DSAP Destination Service Access Point: The service access point of a network
node, specified in the destination field of a packet. See also: SSAP and SAP.
DSR Data Set Ready: When a DCE is powered up and ready to run, this
EIA/TIA-232 interface circuit is also engaged.
DSU Data Service Unit: This device is used to adapt the physical interface
on a data terminal equipment (DTE) mechanism to a transmission facility
such as T1 or E1 and is also responsible for signal timing. It is commonly
grouped with the channel service unit and referred to as the CSU/DSU. See
also: CSU.
DTE data terminal equipment: Any device located at the user end of a usernetwork interface serving as a destination, a source, or both. DTE includes
devices such as multiplexers, protocol translators, and computers. The connection to a data network is made through data channel equipment (DCE)
such as a modem, using the clocking signals generated by that device. See
also: DCE.
www.sybex.com
504
Glossary
DTR data terminal ready: An activated EIA/TIA-232 circuit communicating to the DCE the state of preparedness of the DTE to transmit or
receive data.
DUAL Diffusing Update Algorithm: Used in Enhanced IGRP, this convergence algorithm provides loop-free operation throughout an entire routes
computation. DUAL grants routers involved in a topology revision the
ability to synchronize simultaneously, while routers unaffected by this
change are not involved. See also: Enhanced IGRP.
DVMRP Distance Vector Multicast Routing Protocol: Based primarily on
the Routing Information Protocol (RIP), this Internet gateway protocol
implements a common, condensed-mode IP multicast scheme, using IGMP
to transfer routing datagrams between its neighbors. See also: IGMP.
DXI Data Exchange Interface: Described in RFC 1482, DXI defines the
effectiveness of a network device such as a router, bridge, or hub to act as an
FEP to an ATM network by using a special DSU that accomplishes packet
encapsulation.
dynamic routing Also known as adaptive routing, this technique automatically adapts to traffic or physical network revisions.
E1 Generally used in Europe, a wide-area digital transmission scheme
carrying data at 2.048Mbps. E1 transmission lines are available for lease
from common carriers for private use.
E.164 1. Evolved from standard telephone numbering system, the standard
recommended by ITU-T for international telecommunication numbering,
particularly in ISDN, SMDS, and BISDN. 2. Label of field in an ATM
address containing numbers in E.164 format.
E channel Echo channel: A 64Kbps ISDN control channel used for circuit switching. Specific description of this channel can be found in the
1984 ITU-T ISDN specification, but was dropped from the 1988 version.
See also: B, D, and H channels.
edge device A device that enables packets to be forwarded between legacy
interfaces (such as Ethernet and Token Ring) and ATM interfaces based on
information in the data-link and network layers. An edge device does not
take part in the running of any network layer routing protocol; it merely uses
the route description protocol in order to get the forwarding information
required.
www.sybex.com
Glossary
505
EIP Ethernet Interface Processor: A Cisco 7000 series router interface processor card, supplying 10Mbps AUI ports to support Ethernet Version 1 and
Ethernet Version 2 or IEEE 802.3 interfaces with a high-speed data path to
other interface processors.
ELAN Emulated LAN: An ATM network configured using a client/server
model in order to emulate either an Ethernet or Token Ring LAN. Multiple
ELANs can exist at the same time on a single ATM network and are made
up of an LAN Emulation Client (LEC), an LAN Emulation Server (LES), a
broadcast and unknown server (BUS), and an LAN Emulation Configuration Server (LECS). ELANs are defined by the LANE specification. See also:
LANE, LEC, LECS, and LES.
ELAP EtherTalk Link Access Protocol: In an EtherTalk network, the linkaccess protocol constructed above the standard Ethernet data-link layer.
encapsulation The technique used by layered protocols in which a layer
adds header information to the protocol data unit (PDU) from the
layer above. As an example, in Internet terminology, a packet would contain
a header from the physical layer, followed by a header from the network
layer (IP), followed by a header from the transport layer (TCP), followed by
the application protocol data.
encryption The conversion of information into a scrambled form that
effectively disguises it to prevent unauthorized access. Every encryption
scheme uses some well-defined algorithm, which is reversed at the receiving
end by an opposite algorithm in a process known as decryption.
www.sybex.com
506
Glossary
www.sybex.com
Glossary
507
www.sybex.com
508
Glossary
www.sybex.com
Glossary
509
www.sybex.com
510
Glossary
www.sybex.com
Glossary
511
holddown The state a route is placed in so that routers can neither advertise the route nor accept advertisements about it for a defined time period.
Holddown is used to surface bad information about a route from all
routers in the network. A route is generally placed in holddown when one
of its links fails.
hop The movement of a packet between any two network nodes. See also:
hop count.
hop count A routing metric that calculates the distance between a source and
a destination. RIP employs hop count as its sole metric. See also: hop and RIP.
HSCI High-Speed Communication Interface: Developed by Cisco, a singleport interface that provides full-duplex synchronous serial communications
capability at speeds up to 52Mbps.
HSRP Hot Standby Router Protocol: A protocol that provides high network availability and provides nearly instantaneous hardware failover
without administrator intervention. It generates a Hot Standby router
group, including a lead router that lends its services to any packet being
transferred to the Hot Standby address. If the lead router fails, it will be
replaced by any of the other routersthe standby routersthat monitor it.
HSSI High-Speed Serial Interface: A network standard physical connector
for high-speed serial linking over a WAN at speeds of up to 52Mbps.
ICD International Code Designator: Adapted from the subnetwork model
of addressing, this assigns the mapping of network layer addresses to ATM
addresses. HSSI is one of two ATM formats for addressing created by the
ATM Forum to be utilized with private networks. See also: DCC.
ICMP Internet Control Message Protocol: Documented in RFC 792, it is a
network layer Internet protocol for the purpose of reporting errors and providing information pertinent to IP packet procedures.
IEEE Institute of Electrical and Electronics Engineers: A professional organization that, among other activities, defines standards in a number of fields
within computing and electronics, including networking and communications. IEEE standards are the predominant LAN standards used today
throughout the industry. Many protocols are commonly known by the reference number of the corresponding IEEE standard.
www.sybex.com
512
Glossary
IEEE 802.1 The IEEE committee specification that defines the bridging
group. The specification for STP (Spanning-Tree Protocol) is IEEE 802.1d.
The STP uses SPA (spanning-tree algorithm) to find and prevent network
loops in bridged networks. The specification for VLAN trunking is
IEEE 802.1q. Compare to: ISL.
IEEE 802.3 The IEEE committee specification that defines the Ethernet
group, specifically the original 10Mbps standard. Ethernet is a LAN protocol that specifies physical layer and MAC sublayer media access. IEEE
802.3 uses CSMA/CD to provide access for many devices on the same network. FastEthernet is defined as 802.3u, and Gigabit Ethernet is defined as
802.3q. See also: CSMA/CD.
IEEE 802.5
www.sybex.com
Glossary
513
www.sybex.com
514
Glossary
www.sybex.com
Glossary
515
ITU-T International Telecommunication Union Telecommunication Standardization Sector: This is a group of engineers that develops worldwide
standards for telecommunications technologies.
LAN Local Area Network: Broadly, any network linking two or more computers and related devices within a limited geographical area (up to a few
kilometers). LANs are typically high-speed, low-error networks within a
company. Cabling and signaling at the physical and data-link layers of the
OSI are dictated by LAN standards. Ethernet, FDDI, and Token Ring
are among the most popular LAN technologies. Compare with: MAN
and WAN.
LANE LAN emulation: The technology that allows an ATM network to
operate as a LAN backbone. To do so, the ATM network is required to provide multicast and broadcast support, address mapping (MAC-to-ATM),
SVC management, in addition to an operable packet format. Additionally,
LANE defines Ethernet and Token Ring ELANs. See also: ELAN.
LAN switch A high-speed, multiple-interface transparent bridging mechanism, transmitting packets between segments of data-links, usually referred
to specifically as an Ethernet switch. LAN switches transfer traffic based
on MAC addresses. Multilayer switches are a type of high-speed, specialpurpose, hardware-based router. See also: multilayer switch, cut-through
packet switching, and store-and-forward packet switching.
LAPB Link Accessed Procedure, Balanced: A bit-oriented data-link layer
protocol that is part of the X.25 stack and has its origin in SDLC. See also:
SDLC and X.25.
LAPD Link Access Procedure on the D channel. The ISDN data-link layer
protocol used specifically for the D channel and defined by ITU-T Recommendations Q.920 and Q.921. LAPD evolved from LAPB and is created to
comply with the signaling requirements of ISDN basic access.
latency Broadly, the time it takes a data packet to get from one location to
another. In specific networking contexts, it can mean either 1) the time
elapsed (delay) between the execution of a request for access to a network by
a device and the time the mechanism actually is permitted transmission, or
2) the time elapsed between when a mechanism receives a frame and the time
that frame is forwarded out of the destination port.
www.sybex.com
516
Glossary
Layer-3 switch
www.sybex.com
Glossary
517
www.sybex.com
518
Glossary
www.sybex.com
Glossary
519
www.sybex.com
520
Glossary
mips
www.sybex.com
Glossary
521
multicast address A single address that points to more than one device
on the network by specifying a special non-existent MAC address specified
in that particular multicast protocol. Identical to group address. See also:
multicast.
multicast send VCC A two-directional point-to-point virtual control connection (VCC) arranged by an LEC to a BUS, it is one of the three types of
informational link specified by phase 1 LANE. See also: control distribute
VCC and control direct VCC.
multilayer switch A highly specialized, high-speed, hardware-based type
of LAN router, the device filters and forwards packets based on their Layer
2 MAC addresses and Layer 3 network addresses. Its possible that even
Layer 4 can be read. Sometimes called a Layer 3 switch. See also: LAN
switch.
multiplexing The process of converting several logical signals into a single
physical signal for transmission across one physical channel. Contrast with:
demultiplexing.
NAK negative acknowledgment: A response sent from a receiver, telling the
sender that the information was not received or contained errors. Compare
with: acknowledgment.
NAT Network Address Translation: An algorithm instrumental in minimizing the requirement for globally unique IP addresses, permitting an organization whose addresses are not all globally unique to connect to the
Internet, regardless, by translating those addresses into globally routable
address space.
NBP Name Binding Protocol: In AppleTalk, the transport-level protocol
that interprets a socket clients name, entered as a character string, into the
corresponding DDP address. NBP gives AppleTalk protocols the capacity to
discern user-defined zones and names of mechanisms by showing and
keeping translation tables that map names to their corresponding socket
addresses.
neighboring routers Two routers in OSPF that have interfaces to a
common network. On networks with multiaccess, these neighboring routers
are dynamically discovered using the Hello protocol of OSPF.
www.sybex.com
522
Glossary
www.sybex.com
Glossary
523
NIC network interface card: An electronic circuit board placed in a computer. The NIC provides network communication to a LAN.
NLSP NetWare Link Services Protocol: Novells link-state routing protocol, based on the IS-IS model.
NMP Network Management Processor: A Catalyst 5000 switch processor
module used to control and monitor the switch.
non-stub area In OSPF, a resource-consuming area carrying a default
route, intra-area routes, interarea routes, static routes, and external routes.
Non-stub areas are the only areas that can have virtual links configured
across them and exclusively contain an anonymous system boundary router
(ASBR). Compare with: stub area. See also: ASBR and OSPF.
NRZ Nonreturn to Zero: One of several encoding schemes for transmitting
digital data. NRZ signals sustain constant levels of voltage with no signal
shifting (no return to zero-voltage level) during a bit interval. If there is a
series of bits with the same value (1 or 0), there will be no state change. The
signal is not self-clocking. See also: NRZI.
NRZI Nonreturn to Zero Inverted: One of several encoding schemes for
transmitting digital data. A transition in voltage level (either from high to
low or vice-versa) at the beginning of a bit interval is interpreted as a value
of 1; the absence of a transition is interpreted as a 0. Thus, the voltage
assigned to each value is continually inverted. NRZI signals are not selfclocking. See also: NRZ.
NVRAM Non-Volatile RAM: Random-access memory that keeps its contents intact while power is turned off.
OC Optical Carrier: A series of physical protocols, designated as OC-1,
OC-2, OC-3, and so on, for SONET optical signal transmissions. OC signal
levels place STS frames on a multimode fiber-optic line at various speeds, of
which 51.84Mbps is the lowest (OC-1). Each subsequent protocol runs at a
speed divisible by 51.84. See also: SONET.
100BaseT Based on the IEEE 802.3u standard, 100BaseT is the FastEthernet specification of 100Mbps baseband that uses UTP wiring. 100BaseT
sends link pulses (containing more information than those used in 10BaseT) over
the network when no traffic is present. See also: 10BaseT, FastEthernet, and
IEEE 802.3.
www.sybex.com
524
Glossary
www.sybex.com
Glossary
525
www.sybex.com
526
Glossary
PDN Public Data Network: Generally for a fee, a PDN offers the public
access to computer communication network operated by private concerns or
government agencies. Small organizations can take advantage of PDNs,
aiding them in creating WANs without investing in long-distance equipment
and circuitry.
PGP Pretty Good Privacy: A popular public-key/private-key encryption
application offering protected transfer of files and messages.
physical layer The lowest layerLayer 1in the OSI reference model, it
is responsible for converting data packets from the data-link layer (Layer 2)
into electrical signals. Physical-layer protocols and standards define, for
example, the type of cable and connectors to be used, including their pin
assignments and the encoding scheme for signaling 0 and 1 values. See also:
application layer, data-link layer, network layer, presentation layer, session
layer, and transport layer.
ping packet Internet groper: A Unix-based Internet diagnostic tool, consisting of a message sent to test the accessibility of a particular device on the
IP network. The acronym (from which the full name was formed) reflects
the underlying metaphor of submarine sonar. Just as the sonar operator
sends out a signal and waits to hear it echo (ping) back from a submerged
object, the network user can ping another node on the network and wait to
see if it responds.
pleisochronous Nearly synchronous, except that clocking comes from an
outside source instead of being embedded within the signal as in synchronous transmissions.
PLP Packet Level Protocol: Occasionally called X.25 Level 3 or X.25
Protocol, a network-layer protocol that is part of the X.25 stack.
PNNI Private Network-Network Interface: An ATM Forum specification
for offering topology data used for the calculation of paths through the network, among switches and groups of switches. It is based on well-known
link-state routing procedures and allows for automatic configuration in networks whose addressing scheme is determined by the topology.
point-to-multipoint connection In ATM, a communication path going
only one way, connecting a single system at the starting point, called the
root node, to systems at multiple points of destination, called leaves.
See also: point-to-point connection.
www.sybex.com
Glossary
527
www.sybex.com
528
Glossary
www.sybex.com
Glossary
529
www.sybex.com
530
Glossary
www.sybex.com
Glossary
531
www.sybex.com
532
Glossary
SCR Sustainable Cell Rate: An ATM Forum parameter used for traffic
management, it is the long-term average cell rate for VBR connections that
can be transmitted.
SDLC Synchronous Data-Link Control: A protocol used in SNA data-link
layer communications. SDLC is a bit-oriented, full-duplex serial protocol
that is the basis for several similar protocols, including HDLC and LAPB. See
also: HDLC and LAPB.
seed router In an AppleTalk network, the router that is equipped with
the network number or cable range in its port descriptor. The seed router
specifies the network number or cable range for other routers in that network section and answers to configuration requests from nonseed routers on
its connected AppleTalk network, permitting those routers to affirm or
modify their configurations accordingly. Every AppleTalk network needs at
least one seed router physically connected to each network segment.
server
session layer Layer 5 of the OSI reference model, responsible for creating,
managing, and terminating sessions between applications and overseeing
data exchange between presentation layer entities. See also: application
layer, data-link layer, network layer, physical layer, presentation layer, and
transport layer.
SF super frame: A super frame (also called a D4 frame) consists of 12
frames with 192 bits each, and the 193rd bit providing other functions
including error checking. SF is frequently used on T1 circuits. A newer version of the technology is Extended Super Frame (ESF), which uses 24 frames.
See also: ESF.
signaling packet An informational packet created by an ATM-connected
mechanism that wants to establish connection with another such mechanism. The packet contains the QoS parameters needed for connection and
the ATM NSAP address of the endpoint. The endpoint responds with a message of acceptance if it is able to support the desired QoS, and the connection
is established. See also: QoS.
silicon switching A type of high-speed switching used in Cisco 7000
series routers, based on the use of a separate processor (the Silicon Switch
Processor, or SSP). See also: SSE.
www.sybex.com
Glossary
533
sliding window The method of flow control used by TCP, as well as several data-link layer protocols. This method places a buffer between the
receiving application and the network data flow. The window available
for accepting data is the size of the buffer minus the amount of data already
there. This window increases in size as the application reads data from it and
decreases as new data is sent. The receiver sends the transmitter announcements of the current window size, and it may stop accepting data until the
window increases above a certain threshold.
SLIP Serial Line Internet Protocol: An industry standard serial encapsulation for point-to-point connections that supports only a single routed
protocol, TCP/IP. SLIP is the predecessor to PPP. See also: PPP.
SMDS Switched Multimegabit Data Service: A packet-switched,
datagram-based WAN networking technology offered by telephone
companies that provides high speed.
SMTP Simple Mail Transfer Protocol: A protocol used on the Internet to
provide electronic mail services.
SNA System Network Architecture: A complex, feature-rich, network
architecture similar to the OSI reference model but with several variations;
created by IBM in the 1970s and essentially composed of seven layers.
SNAP Subnetwork Access Protocol: SNAP is a frame used in Ethernet,
Token Ring, and FDDI LANs. Data transfer, connection management, and
QoS selection are three primary functions executed by the SNAP frame.
socket 1. A software structure that operates within a network device as a
destination point for communications. 2. In AppleTalk networks, an entity
at a specific location within a node; AppleTalk sockets are conceptually
similar to TCP/IP ports.
SONET Synchronous Optical Network: The ANSI standard for synchronous transmission on fiber-optic media, developed at Bell Labs. It specifies a
base signal rate of 51.84Mbps and a set of multiples of that rate, known as
Optical Carrier levels, up to 2.5Gbps.
SP Switch Processor: Also known as a ciscoBus controller, it is a Cisco 7000
series processor module acting as governing agent for all CxBus activities.
www.sybex.com
534
Glossary
span
www.sybex.com
Glossary
535
www.sybex.com
536
Glossary
www.sybex.com
Glossary
537
See: subnetwork.
www.sybex.com
538
Glossary
subnet mask Also simply known as mask, a 32-bit address mask used in
IP to identify the bits of an IP address that are used for the subnet address.
Using a mask, the router does not need to examine all 32 bits, only those
selected by the mask. See also: address mask and IP address.
subnetwork 1. Any network that is part of a larger IP network and is
identified by a subnet address. A network administrator segments a network
into subnetworks in order to provide a hierarchical, multilevel routing structure, and at the same time protect the subnetwork from the addressing complexity of networks that are attached. Also known as a subnet. See also: IP
address, subnet mask, and subnet address. 2. In OSI networks, the term
specifically refers to a collection of ESs and ISs controlled by only one administrative domain, using a solitary network connection protocol.
SVC switched virtual circuit: A dynamically established virtual circuit, created on demand and dissolved as soon as transmission is over and the circuit
is no longer needed. In ATM terminology, it is referred to as a switched
virtual connection. See also: PVC.
switch 1. In networking, a device responsible for multiple functions such
as filtering, flooding, and sending frames. It works using the destination
address of individual frames. Switches operate at the data-link layer of the
OSI model. 2. Broadly, any electronic/mechanical device allowing connections to be established as needed and terminated if no longer necessary.
switched LAN Any LAN implemented using LAN switches. See also:
LAN switch.
synchronous transmission Signals transmitted digitally with precision
clocking. These signals have identical frequencies and contain individual
characters encapsulated in control bits (called start/stop bits) that designate
the beginning and ending of each character. See also: asynchronous transmission and isochronous transmission.
T1 Digital WAN that uses 24 DS0s at 64K each to create a bandwidth of
1.536Mbps, minus clocking overhead, providing 1.544Mbps of usable
bandwidth.
T3
www.sybex.com
Glossary
539
Telnet The standard terminal emulation protocol within the TCP/IP protocol stack. Method of remote terminal connection, enabling users to log in
on remote networks and use those resources as if they were locally connected. Telnet is defined in RFC 854.
10BaseT Part of the original IEEE 802.3 standard, 10BaseT is the Ethernet
specification of 10Mbps baseband that uses two pairs of twisted-pair, Category 3, 4, or 5 cablingusing one pair to send data and the other to receive.
10BaseT has a distance limit of about 100 meters per segment. See also:
Ethernet and IEEE 802.3.
www.sybex.com
540
Glossary
www.sybex.com
Glossary
541
www.sybex.com
542
Glossary
VIP 1. Versatile Interface Processor: An interface card for Cisco 7000 and
7500 series routers, providing multilayer switching and running the Cisco
IOS software. The most recent version of VIP is VIP2. 2. Virtual IP: A function making it possible for logically separated switched IP workgroups to
run Virtual Networking Services across the switch ports of a Catalyst 5000.
virtual circuit Abbreviated VC, a logical circuit devised to assure reliable
communication between two devices on a network. Defined by a virtual path
connection (VPC)/virtual path identifier (VCI) pair, a virtual circuit can be
permanent (PVC) or switched (SVC). Virtual circuits are used in Frame
Relay and X.25. Known as virtual channel in ATM. See also: PVC and SVC.
virtual ring In an SRB network, a logical connection between physical
rings, either local or remote.
VLAN Virtual LAN: A group of devices on one or more logically segmented LANs (configured by use of management software), enabling devices
to communicate as if attached to the same physical medium, when they are
actually located on numerous different LAN segments. VLANs are based on
logical instead of physical connections and thus are tremendously flexible.
VLSM variable-length subnet mask: Helps optimize available address
space and specify a different subnet mask for the same network number on
various subnets. Also commonly referred to as subnetting a subnet.
WinSock Windows Socket Interface: A software interface that makes it possible for an assortment of applications to use and share an Internet connection.
The WinSock software consists of a Dynamic Link Library (DLL) with supporting programs such as a dialer program that initiates the connection.
workgroup switching A switching method that supplies high-speed
(100Mbps) transparent bridging between Ethernet networks as well as highspeed translational bridging between Ethernet and CDDI or FDDI.
X.25 An ITU-T packet-relay standard that defines communication
between DTE and DCE network devices. X.25 uses a reliable data-link layer
protocol called LAPB. X.25 also uses PLP at the network layer. X.25 has
mostly been replaced by Frame Relay.
www.sybex.com
Glossary
543
ZIP Zone Information Protocol: A session-layer protocol used by AppleTalk to map network numbers to zone names. NBP uses ZIP in the determination of networks containing nodes that belong to a zone. See also: ZIP
storm and zone.
ZIP storm A broadcast storm occurring when a router running AppleTalk
reproduces or transmits a route for which there is no corresponding zone
name at the time of execution. The route is then forwarded by other routers
downstream, thus causing a ZIP storm. See also: broadcast storm and ZIP.
zone
www.sybex.com